Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Can I use a syslog server as a Universal Forwarder?

splunk_luis12
Path Finder
‎08-30-2022 09:28 AM

Hi Folks,

I'm very new at syslog server configuration but I have a question about this.

I have an IF (universal forwarder) and I want it to act as a syslog server as well. I want it to receive the syslog logs on a different port (not 514). The port 30001 for example. 

That port should be open from the Splunk side or from my network side?

I appreciate any comment or documents to further understand this.

Thanks.

0 Karma
Reply

splunk_luis12
Path Finder
‎08-30-2022 10:24 AM

@richgalloway  @ryanJustRyan  Thanks for your reply.

Just another quick noob question:

I have the following configuration on Splunk UF inputs: 

[monitor:///apps/syslog-ng/.../port_30001/...)

When a use telnet localhost 30001 it says "Connection refused" and because of that, the logs are not being sent to my indexers. I should open the port on my network side?

I used ss -antp | grep '30001' and port is not listening on my machine.

Thanks.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-30-2022 11:51 AM

Yes, you need to do the needful on your network to make sure connections to port 30001 (and any others Splunk may use) are permitted.

---
If this reply helps you, Karma would be appreciated.
Reply

ryanJustRyan
Engager
‎08-30-2022 10:35 AM

Anything that is restricting access to the listening syslog server would need to be open - typically this is firewall on the application server if active, and firewall on network if active.  I can't speak to your environment.

Reply

ryanJustRyan
Engager
‎08-30-2022 10:13 AM

Typically you would setup a syslog listening server using a dedicated syslog application (previously stated by another person as syslog-ng or rsyslog) ... this will listen on the network port you define and it must have the open port on the server the syslog server is running from.

You then configure the syslog server to listen and filter data to be placed in particular folders.

You then configure the universal forwarder on the same app server to forward the filtered data to your splunk indexers.

Typically a device sending a network request does not require a port to be opened - you only need the port open on the listening servers.

Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-30-2022 09:49 AM

Splunk is not a good syslog server.  You'll have better results with a dedicated syslog product such as syslog-ng or rsyslog.  Also, consider using Splunk Connect for Syslog (SC4S), which simplifies syslog administration.

To answer the question, the port must be opened on BOTH the Splunk side and the network side.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...