Installation
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

TCPDUMP Command

anandhalagarasa
Path Finder
‎03-22-2019 04:24 AM

Hi Team,

We have configured HTTP Event Collector in our Indexer server (Linux machine) and shared the same across to the requester. But actually there is an connection issue hence they couldn't able to ingest the logs into splunk.

So we want to know how to run the tcpdump from our indexer and see if there is any traffic issues.

What is the command to fetch the tcpdump in a linux machine of an indexer server. and from where should i need to run the command as well.

Tags (1)
0 Karma
Reply

renjith_nair
Legend
‎03-22-2019 05:27 AM

@anandhalagarasan,

Probably you should start from looking at the client side, i.e. whats the error getting at the client side. Here is a list of error codes and its description for your reference

https://docs.splunk.com/Documentation/Splunk/7.2.4/Data/TroubleshootHTTPEventCollector#Possible_erro...

Also make sure that HEC is enabled correctly and port configured (default 8088) is listening (netstat).

Reference : http://dev.splunk.com/view/event-collector/SP-CAAAE7F

If you have a firewall in between your client and indexer, you might want to check there as well to make sure that the traffic is allowed (ip & port)

Simple tcpdump can be run from indexer as 

 tcpdump -i eth0 -nn -s0 -v port 8088
---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply

nickhills
Ultra Champion
‎03-22-2019 05:18 AM

Ok, a couple of things:
1.) It is not recommended to run an HEC on an indexer (its fine for a Lab/test environment, but if this is Production you should really install a dedicated HEC receiver, and use it to forward events to your indexers)
2.) You need to know the port that your HEC is running on - the default port is 8088, but you may have set this to something else.
3.) Before you start running tcpdump (which on a busy indexer could be very intensive) start by checking some other things first:
a.) is the HEC running - run netstat -lpen and look for processes running on the relevant port (8088 the process should be splunkd)
b.) check your firewall rules sudo iptables -L -v -n | more or firewall-cmd --list-all [--zone=your_zone] Make sure there are rules for 8088
c.) check that the certificate presented by your HEC is valid openssl s_client -connect your.splunk.hec.server:8088 (Run this on the server to check the cert is presented, and also run this from the client to confirm end-to-end communications)
4.) if all of the above checks out, then briefly run tcp dump to see what traffic arrives tcpdump -i eth0 'port 8088'

If my comment helps, please give it a thumbs up!
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Unlocking Unified Insights: New Gigamon Federated Search App for Splunk

In today’s data-heavy environment, organizations are caught in a data distribution dilemma. As data volumes ...

GA: New Data Management App in Splunk Platform

Streamlining Data Management: Introducing a unified experience in Splunk Managing data at scale shouldn’t feel ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...