All Apps and Add-ons

Splunk cluster collecting UDP log receiving port

louismai
Path Finder

Hi all,

I have a cluster with 2 indexers. I want to collect the UDP logs from Fortinet Firewall. I have setup the syslog forwarding from our FW to 1 indexer, but we haven't received any log data.
My FW: forward UDP connection to 172.25.1.26:9997
My IDX: 172.25.1.26 and 172.25.1.25

Is my setup correct, or I need to forward to both IDX?

Tks
Louis.

Tags (1)
1 Solution

grumpcat
Engager

Hello,

While you can forward syslog directly to an indexer, best practice is to forward to a syslog collector which then would write the log locally for a retention period (usually 1-7 days). Then you would have a forwarder monitor those log files and send out. This helps in cases where you need to restart the indexers and not drop UDP. Additionally this helps with resources and load balancing.

As for why you are not getting logs CURRENTLY via this setup:

We use 9997 (historically) for Splunk to Splunk data transmission. If you are setting up straight UDP syslog you are going to want to make a new UDP listener under http://localhost:8000/en-US/manager/launcher/data/inputs/udp. Assign a sourcetype, index, and port. See https://docs.splunk.com/Documentation/Splunk/8.0.0/Data/Monitornetworkports .

Don't forget to open local firewalls on the host.

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi louismai,
it isn't a best practice to use Indexers to ingest syslogs, especially an Indexer Cluster because during maintenance it's possible to have both the Indexers in stand by so you could loose syslogs.
The best practice is to use two Splunk Heavy Forwarders (that are full Splunk installations where all the logs are forwarded to Indexers) and a Load Balancer that in normal run balances logs between indexers and in fail or maintenance Indexers condition sends logs to the active Indexer and eventually caches (if both Indexers are down).

These servers can be virtual servers without great configurations (e.g. 4 CPUs and 8 GBs of RAM).
If you haven't a Load Balancer, you can use a DNS setting as a Load balancer.

Ciao.
Giuseppe

grumpcat
Engager

Hello,

While you can forward syslog directly to an indexer, best practice is to forward to a syslog collector which then would write the log locally for a retention period (usually 1-7 days). Then you would have a forwarder monitor those log files and send out. This helps in cases where you need to restart the indexers and not drop UDP. Additionally this helps with resources and load balancing.

As for why you are not getting logs CURRENTLY via this setup:

We use 9997 (historically) for Splunk to Splunk data transmission. If you are setting up straight UDP syslog you are going to want to make a new UDP listener under http://localhost:8000/en-US/manager/launcher/data/inputs/udp. Assign a sourcetype, index, and port. See https://docs.splunk.com/Documentation/Splunk/8.0.0/Data/Monitornetworkports .

Don't forget to open local firewalls on the host.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...