Deployment Architecture

UPD listening is not receiving events on one of my Universal Forwarders.

donaldwayne1975
Path Finder

UDP listening is not working on one of my UF's. Have PCAPs confirming the events are successfully making it from the expected source to the system with the UF installed on it. So it is not the sending device and the local firewall on the UF system. Below is the error showing in splunkd log:

12-06-2019 18:02:26.913 +0100 ERROR UDPInputProcessor - Error binding to socket in UDPInputProcessor: The operation completed successfully.

Maybe the account the Splunk Universal Forwarder service is running as does not have the right privileges on the system???

Labels (1)
0 Karma
1 Solution

arjunpkishore5
Motivator

I would guess there is a port conflict. Have you tried changing the port number to something else for your UDP input?

If your UF is on a Linux system, use the following to confirm if the port is being used by another process - https://www.tecmint.com/find-out-which-process-listening-on-a-particular-port/

For windows, use this - https://stackoverflow.com/questions/48198/how-can-you-find-out-which-process-is-listening-on-a-port-...

Please also refer to this post which was answered by @martin_mueller - https://answers.splunk.com/answers/145270/problems-creating-an-udp-input-error-binding-to-socket-in-...

View solution in original post

arjunpkishore5
Motivator

I would guess there is a port conflict. Have you tried changing the port number to something else for your UDP input?

If your UF is on a Linux system, use the following to confirm if the port is being used by another process - https://www.tecmint.com/find-out-which-process-listening-on-a-particular-port/

For windows, use this - https://stackoverflow.com/questions/48198/how-can-you-find-out-which-process-is-listening-on-a-port-...

Please also refer to this post which was answered by @martin_mueller - https://answers.splunk.com/answers/145270/problems-creating-an-udp-input-error-binding-to-socket-in-...

donaldwayne1975
Path Finder

Device owner had another application syslog application running and receiving the events. did not communicate this to me until later. configured Splunk to read log files written by their syslog tool. Communication is key!

0 Karma

starcher
Influencer

Best practice for syslog is use a syslog server. Then use a UF to pickup the log files it writes.

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...