Getting Data In
Highlighted

Data Inputs / TCP or UDP

Engager

I am not very familiar with Splunk and syslog servers in general, but I am trying to learn. There is a "Broadcast on LAN" option in the "Syslog" section of my Netgear router, but I do not know which port number to use in Splunk when I activate the syslog broadcast. I have contacted Netgear but I haven't been able to get a clear answer and they keep telling me to contact Splunk even though I told them that I can use any port number I want in "Data Inputs / TCP" or "Data Inputs / UDP". Their last suggestion was to use port forwarding or port triggering but I am not that this is what I should be doing. I realize that I am starting from scratch but would appreciate any help you can give me to get started. Many thanks in advance.

Tags (2)
0 Karma
Highlighted

Re: Data Inputs / TCP or UDP

Legend

Syslog broadcast is a new concept to me! Doesn't sound very efficient...but, the easiest thing would probably be to run tcpdump on a box on the LAN, for instance the box you're running Splunk on. If it's indeed syslog though, it should be UDP port 514.

Highlighted

Re: Data Inputs / TCP or UDP

Splunk Employee
Splunk Employee

On the same page of your Netgear router there should be another option called "Send to this syslog server IP address" followed by space where you should type the IP address of your machine with Splunk. Then on Splunk go to Data Inputs/UDP and type 514 as the port number. Your syslog data should start flowing in.

0 Karma
Highlighted

Re: Data Inputs / TCP or UDP

Engager

Ayn and Leo, many thanks for your help.

As suggested by Leo, I used the "Send to this Syslog server IP address" option on the Netgear router and entered my main computer's IP address (192.168.0.2). I run the Splunk server on this computer.

When I then tried to set-up a new UDP data input, Splunk returned “Encountered the following error while trying to save: In handler 'udp': UDP port 514 is not available”. I was able to solve this thanks to gabedimeglio’s answer to: http://answers.splunk.com/questions/1653/cant-add-udp-input-because-of-error-udp-port-514-is-not-ava.... The key was to use “sudo ./splunk start” rather than just “./splunk start”.

I can now see the router’s syslog events in splunk>Search so it seems that I am all set now.

Thanks again (and to gabedimelio too)!