Failed to add the same UDP port

noott211 · ‎10-07-2021

udp7511 syslog transmission was set up on three firewalls.
The same port is not registered on the splank web.
I used the method below, but it failed. However, logs are sent when set to another port on the splunk web.

/opt/splunk/etc/apps/search/local

[udp://7511]
connection_host = ip
host = 192.168.10.10
index = fw1
source = fw1_source
sourcetype = syslog

[udp://7511]
connection_host = ip
host = 192.168.10.20
index = fw2
source = fw2_source
sourcetype = syslog

[udp://7511]
connection_host = ip
host = 192.168.10.30
index = fw3
source = fw3_source
sourcetype = syslog

PickleRick · ‎10-07-2021

No. You can't do it this way. If you define a tcp or udp input, splunk binds the port to a given ip (or inaddr_any if you don't specify an address to bind to). Your config would try to define the same input three times. I don't recall at the moment whether it would result in splunk trying three times to bind to the same port (which would fail - you can't listen on the same port more than once) or overwriting subsequent definitions with the last instance. But any way it did, it's definitely not what you want.

Furthermore, splunk's udp input is not a very good way to receive syslog event's (partly because of performance issues, partly because of lack of metadata). You'd be much better off using either sc4s, rsyslogd or some other form of intermediate syslog receiving and processing layer.

But if it's a small installation and you want to stick to builtin inputs only, bind the inputs on different ports.

Oh, and it's worth remembering that udp is unreliable and you might easily be losing events.

Failed to add the same UDP port

inputs.conf

Linux

syslog

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms