Getting Data In

Can't now add monitor UDP 514

HoangSon
New Member

I have 2 data sources with UDP 514, I use the "Only accept word connection" field to split into 2 sources but when I split, there is no data about Splunk. I try to put it together in one source, there is data.

Tags (1)
0 Karma
1 Solution

Richfez
SplunkTrust
SplunkTrust

While this may or may not answer your problem specifically, it answers your problem generically.

Do not have Splunk listen on network ports, at least for traffic that's syslog or any other well-known standard protocol with a zillion awesome apps built specifically to listen on those ports. Just because you can do this doesn't mean that you should.

Instead, install syslog-ng (for Linux, or the free edition of Kiwi Syslog Daemon for Windows, or even run a tiny VM with Linux and syslog-ng on it) and have it listen for syslog and write it to file. Then have Splunk pick up the files from that location.

The biggest two problems this solves are that Splunk needs restarting often, and takes forever and a half to do so. UDP doesn't care that the packet doesn't make it and nothing was listening, UDP is a "fling it and hope" protocol so when Splunk is restarting those just get lost. Conversely, syslog-ng restarts in the blink of an eye, and frankly almost never even needs restarting anyway. the second problem is that, as you noticed, routing issues can occur because you are mixing all those inputs on 514 with each other. A syslog receiver can handle that easily, dropping files into separate folders based on ... well, almost anything - hostname, IP, content, facility ... whatever it is. Then Splunk can use the folder name as the hostname if you want, when you read it.

The interwebs are full of setting this sort of solution up - the tiniest amount of digging will turn up all sorts of guides for a simple solution, and Answers here also has some help.

View solution in original post

0 Karma

Richfez
SplunkTrust
SplunkTrust

While this may or may not answer your problem specifically, it answers your problem generically.

Do not have Splunk listen on network ports, at least for traffic that's syslog or any other well-known standard protocol with a zillion awesome apps built specifically to listen on those ports. Just because you can do this doesn't mean that you should.

Instead, install syslog-ng (for Linux, or the free edition of Kiwi Syslog Daemon for Windows, or even run a tiny VM with Linux and syslog-ng on it) and have it listen for syslog and write it to file. Then have Splunk pick up the files from that location.

The biggest two problems this solves are that Splunk needs restarting often, and takes forever and a half to do so. UDP doesn't care that the packet doesn't make it and nothing was listening, UDP is a "fling it and hope" protocol so when Splunk is restarting those just get lost. Conversely, syslog-ng restarts in the blink of an eye, and frankly almost never even needs restarting anyway. the second problem is that, as you noticed, routing issues can occur because you are mixing all those inputs on 514 with each other. A syslog receiver can handle that easily, dropping files into separate folders based on ... well, almost anything - hostname, IP, content, facility ... whatever it is. Then Splunk can use the folder name as the hostname if you want, when you read it.

The interwebs are full of setting this sort of solution up - the tiniest amount of digging will turn up all sorts of guides for a simple solution, and Answers here also has some help.

0 Karma

HoangSon
New Member

Thanks for the answer. I think it is a great idea

0 Karma

HoangSon
New Member

i am user cluster mode, every configure monitor added by master note. Monitor sample like:

[udp://10.48.255.4, 10.48.15.50:514]
connection_host = ip
index = nw_cisco
sourcetype = cisco:ios

[udp://10.6.20.24, 10.6.20.25:514]
connection_host = ip
sourcetype = tippingpoint:syslog
index=nw_ips

0 Karma
Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...