Archive
Highlighted

Getting local ports into Splunk

Explorer

Hello

I have splunk enterprise installed on a local macos device for testing. I get the DNS traffic into splunk.

I have tried the GUI to add a UDP port 53 data input, but get receive this problem Parameter name: UDP port 53 is not available.

I have also tried sudo /Applications/Splunk/bin/splunk add udp 53
Parameter name: UDP port 53 is not available.
and this sudo /Applications/Splunk/bin/splunk enable listen 53
Parameter name: TCP port 53 is not available.

I understand ports below 1024 must be root, however i don't want to run splunk as root, and i am not sure this is the problem.

Can someone please confirm if i have to run splunk as root to be able to list to my own local ports, or do i have some other issue, and what are some options to get local ports < 1024 into splunk?

Tags (1)
0 Karma
Highlighted

Re: Getting local ports into Splunk

SplunkTrust
SplunkTrust

Hi ajhstn,

as correctly stated this is not possible without running Splunk as root, but there is a work around. Read this answer to make it securely work https://answers.splunk.com/answers/242650/how-to-allow-splunk-to-connect-udp-161-port-in-lin.html

And since you are using OSX it might be good to have a read here https://serverfault.com/questions/102416/iptables-equivalent-for-mac-os-x to get an idea how it is done on OSX.

Hope this helps ...

cheers, MuS

0 Karma