Deployment Architecture

UPD listening is not receiving events on one of my Universal Forwarders.

Path Finder

UDP listening is not working on one of my UF's. Have PCAPs confirming the events are successfully making it from the expected source to the system with the UF installed on it. So it is not the sending device and the local firewall on the UF system. Below is the error showing in splunkd log:

12-06-2019 18:02:26.913 +0100 ERROR UDPInputProcessor - Error binding to socket in UDPInputProcessor: The operation completed successfully.

Maybe the account the Splunk Universal Forwarder service is running as does not have the right privileges on the system???

Labels (1)
0 Karma
1 Solution

Motivator

I would guess there is a port conflict. Have you tried changing the port number to something else for your UDP input?

If your UF is on a Linux system, use the following to confirm if the port is being used by another process - https://www.tecmint.com/find-out-which-process-listening-on-a-particular-port/

For windows, use this - https://stackoverflow.com/questions/48198/how-can-you-find-out-which-process-is-listening-on-a-port-...

Please also refer to this post which was answered by @martin_mueller - https://answers.splunk.com/answers/145270/problems-creating-an-udp-input-error-binding-to-socket-in-...

View solution in original post

Motivator

I would guess there is a port conflict. Have you tried changing the port number to something else for your UDP input?

If your UF is on a Linux system, use the following to confirm if the port is being used by another process - https://www.tecmint.com/find-out-which-process-listening-on-a-particular-port/

For windows, use this - https://stackoverflow.com/questions/48198/how-can-you-find-out-which-process-is-listening-on-a-port-...

Please also refer to this post which was answered by @martin_mueller - https://answers.splunk.com/answers/145270/problems-creating-an-udp-input-error-binding-to-socket-in-...

View solution in original post

Path Finder

Device owner had another application syslog application running and receiving the events. did not communicate this to me until later. configured Splunk to read log files written by their syslog tool. Communication is key!

0 Karma

SplunkTrust
SplunkTrust

Best practice for syslog is use a syslog server. Then use a UF to pickup the log files it writes.

0 Karma