Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Getting Splunk to work with Syslog UDP 514

fletch13
Explorer
‎10-10-2013 02:16 PM

I've been reading and trying to figure this out. But i'm stomped.

I configured a device to send syslog events to the splunk server via udp:514
i can see the traffic (on splunk server)with tcpdump port 514. I've tested this by trigger an event on the device and seeing the event on the splunk server (via tcpdump.

./splunk list udp cli shows 514
I've tailed "metics.log" and i do not see the related syslog event getting there.

Looks like everything is good. but nothing in searches or indexes..
running splunk ver 6.

Tags (1)
Reply

mcronkrite
Splunk Employee
Splunk Employee
‎07-01-2014 06:02 PM

Redirects 514 to 5514 in this example.

Poke hole in iptables to allow web-configuration and the listener ports

Redirect for port 515 up to 5514 which we are listening on (be sure to "service iptables save" after modifying iptables, or modify etc/sysconfig/iptables directly)

iptables -I INPUT -p tcp --dport 8000 -j ACCEPT

iptables -I INPUT -p tcp --dport 5514 -j ACCEPT

iptables -t nat -A PREROUTING -d MY.IP -p tcp -m tcp --dport 514 -j DNAT --to-destination MY.IP:5514

iptables -t nat -A PREROUTING -d MY.IP -p udp -m udp --dport 514 -j DNAT --to-destination MY.IP:5514

Reply

fletch13
Explorer
‎10-11-2013 03:26 PM

Not sure but it works now. Could have been just going over steps needs to make this work.
thanks

  1. configured iptables to take udp 514
  2. restarting iptables
  3. adding data input udp 514

BTW: i still don't see syslog "port 514" activity in the metrics.log but it works.

0 Karma
Reply

fletch13
Explorer
‎10-11-2013 10:38 AM

yes. Splunk has been configured to listen to udp 514

0 Karma
Reply

twinspop
Influencer
‎10-11-2013 10:17 AM

Dwaddle nailed it, but I'd also check to see if another process, like syslog or syslog-ng, is already using UDP 514.

lsof -i :514
Reply

twinspop
Influencer
‎10-11-2013 01:25 PM

Did you restart Splunk after? It won't dynamically re-try the port. A restart will be needed.

0 Karma
Reply

fletch13
Explorer
‎10-11-2013 10:51 AM

i did have rsyslog running. i kill it and still not seeing my udp traffic in the metrics.log

0 Karma
Reply

dwaddle
SplunkTrust
SplunkTrust
‎10-10-2013 10:32 PM

Disable your firewall. And/or add rules to allow UDP/514.

Using tcpdump is a great test, but it is misleading with UDP packets. The libpcap libraries sit in the network stack below iptables. So it is entirely possible that you will see a packet arrive with tcpdump and it will be dropped by iptables before it makes it to the process. And because it's UDP there is no broken session setup to observe.

Reply

fletch13
Explorer
‎10-11-2013 10:43 AM

okay. i double checked and iptables files is configured to accept port 514. plus restarted iptables.
-A INPUT -p udp -m udp --dport 514 -j ACCEPT

Reply

lukejadamec
Super Champion
‎10-10-2013 03:00 PM

How have you configured Splunk to listen on that port?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...