All Apps and Add-ons

Unable to use Diode Receiver/Sender Add-On

raviopensource
Engager

Unable to use Diode Receiver/Sender Add-On. Understandably, the tcp data is encapsulated with udp and is un-encapsulated on the splunk end. is there any guide how to set this up? I have been trying this for more than a week without success.

0 Karma

micheloosterhof
New Member

Hello! I'm the author of the app.
Could you please let me know where you are stuck at the moment? Is it on the sending or receiving side?
Are you using TCP or UDP as the protocol? (Some diodes do support a TCP simulation but then there's only payload going one way).
Do you see traffic in Wireshark/tcpdump?

0 Karma

Prewin27
New Member

Hi @micheloosterhof ,

I installed the add-on's on both side and configured the sender IP and port details. But on the receiving indexer where the diode receiver is configured i am getting below error message.

ERROR TcpInputProc- Message rejected. Received unexpected message of size=1010053694 bytes from src=x.x.x.x in streaming mode. Maximum message size allowed=67108864. Possible invalid source sending data to splunktcp port or valid source sending unsupported payload.

Here, i'm sending traffic to default splunk tcp port 9997. Should i change that to different tcp port or via UDP will be fine?

0 Karma

micheloosterhof
New Member

Port 9997 will not work, this is the port for the S2S protocol, and since this protocol is TCP based and requires packets to go both ways, this will not work across a diode.

You should be using the custom listener port in the receiver app and send data to that from the sender app.

0 Karma

djbutor
New Member

I'm not an expert with either Splunk or the diode to get these to work with just the instructions provided. Is there any chance you might be able to give more detailed instructions to use these add-ons?

Once the add-on is imported into the sending and receiving Splunk server what all needs to be done to get it to function including the file locations that need to be edited?

What needs to be done on the sending and receiving side of the diode beyond updating the iptables file to allow communication through ports 6003 or 6004?

0 Karma

micheloosterhof
New Member

Hi @djbutor

Both the sending and the receiving app need some configuration. First decide whether to use TCP or UDP.I recommend TCP if your diode has support for it, otherwise fall back to UDP.

Then configure the sender with the IP address of your diode, check the README.md and instead of the 127.0.0.1 put in the hostname or IP address of the diode and the port you want to use.

You may need to configure items on the diode itself, but this will depend on the make and model.

Then on the receiving side you need to listen to the specified port number, accept traffic and assign the appropriate sourcetype.

To troubleshoot, use tcpdump or wireshark. The entire protocol is cleartext, and easy to read and that will make clear whether or not your are sending and receiving data.

0 Karma

hkacar
Engager

Hello,

the only official documentation that I see is the one in Details on splunbase did you tried that?

Create a local/inputs.conf and enable either TCP or UDP:
The ports can be changed as long as they match the sender Add-On.

# Listen on a TCP port to receive syslog traffic from the diode
# Configure incoming TCP syslog to not append a timestamp or hostname.
# TCP does not strip the priority byte by default.
[tcp://6003]
disabled = 0
sourcetype = diode-syslog

# Listen on a UDP port to receive syslog traffic from the diode
# Configure incoming UDP syslog to not append a timestamp or hostname.
# UDP strips the priority byte by default. Keep it to be consistent with TCP.
[udp://6004]
disabled = 0
no_appending_timestamp = true
no_priority_stripping = true
sourcetype = diode-syslog
0 Karma
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...