All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Default port udp/513

timothy_e_rabor
Explorer
‎07-22-2015 01:35 PM

Is port udp/513 an absolute or is it just a matter of changing the stanza in the inputs.conf file? I run splunk as a non-root user so I can't configure it to listen on a port < 1024 (I realize too I can play around with some port redirection, but it seems simpler to just change the default port).

0 Karma
Reply

mreynov_splunk
Splunk Employee
Splunk Employee
‎07-22-2015 02:10 PM 
[udp:<port>]
* This input stanza is same as [udp://<remote server>:<port>] but without any remote server restriction
* Please see the documentation for [udp://<remote server>:<port>] to follow supported settings:
connection_host = [ip|dns|none]
_rcvbuf = <integer>
no_priority_stripping = [true|false]
no_appending_timestamp = [true|false]
queueSize = <integer>[KB|MB|GB]
persistentQueueSize = <integer>[KB|MB|GB|TB]
listenOnIPv6 = <no | yes | only>
acceptFrom = <network_acl> ...

http://docs.splunk.com/Documentation/Splunk/latest/admin/inputsconf

0 Karma
Reply

timothy_e_rabor
Explorer
‎07-23-2015 06:09 AM

The question isn't about inputs.conf. It's about the FortiOS 5 app itself. Documentation refers to using udp/513. I'm asking about using an alternate port for the app. Is changing the inputs.conf file all that is necessary. Will the app still function properly on an alternate port?

0 Karma
Reply

mreynov_splunk
Splunk Employee
Splunk Employee
‎07-24-2015 11:55 AM

On Splunk side, it should not matter, but you would need to configure FortiOS to pump logs through the new port.

0 Karma
Reply

timothy_e_rabor
Explorer
‎07-27-2015 06:54 AM

I'm getting logs no problem. The Fortigate device is set to send logs to one of my heavy forwarders. HF is set to receive properly - logs are being indexed as sourcetype fortios5. That's all working fine.

However, no data is showing in the app itself. The only real deviation I've done is the alternate port. I wouldn't see how that would affect it otherwise if the data is being indexed as the expected sourcetype.

0 Karma
Reply

mreynov_splunk
Splunk Employee
Splunk Employee
‎07-27-2015 04:00 PM

If it never worked, I would suggest looking at the app and object permissions.

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...