Hi Folks,
I'm very new at syslog server configuration but I have a question about this.
I have an IF (universal forwarder) and I want it to act as a syslog server as well. I want it to receive the syslog logs on a different port (not 514). The port 30001 for example.
That port should be open from the Splunk side or from my network side?
I appreciate any comment or documents to further understand this.
Thanks.
@richgalloway @ryanJustRyan Thanks for your reply.
Just another quick noob question:
I have the following configuration on Splunk UF inputs:
[monitor:///apps/syslog-ng/.../port_30001/...)
When a use telnet localhost 30001 it says "Connection refused" and because of that, the logs are not being sent to my indexers. I should open the port on my network side?
I used ss -antp | grep '30001' and port is not listening on my machine.
Thanks.
Yes, you need to do the needful on your network to make sure connections to port 30001 (and any others Splunk may use) are permitted.
Anything that is restricting access to the listening syslog server would need to be open - typically this is firewall on the application server if active, and firewall on network if active. I can't speak to your environment.
Typically you would setup a syslog listening server using a dedicated syslog application (previously stated by another person as syslog-ng or rsyslog) ... this will listen on the network port you define and it must have the open port on the server the syslog server is running from.
You then configure the syslog server to listen and filter data to be placed in particular folders.
You then configure the universal forwarder on the same app server to forward the filtered data to your splunk indexers.
Typically a device sending a network request does not require a port to be opened - you only need the port open on the listening servers.
Splunk is not a good syslog server. You'll have better results with a dedicated syslog product such as syslog-ng or rsyslog. Also, consider using Splunk Connect for Syslog (SC4S), which simplifies syslog administration.
To answer the question, the port must be opened on BOTH the Splunk side and the network side.