I've been reading and trying to figure this out. But i'm stomped.
I configured a device to send syslog events to the splunk server via udp:514
i can see the traffic (on splunk server)with tcpdump port 514. I've tested this by trigger an event on the device and seeing the event on the splunk server (via tcpdump.
./splunk list udp cli shows 514
I've tailed "metics.log" and i do not see the related syslog event getting there.
Looks like everything is good. but nothing in searches or indexes..
running splunk ver 6.
Redirects 514 to 5514 in this example.
Poke hole in iptables to allow web-configuration and the listener ports
Redirect for port 515 up to 5514 which we are listening on (be sure to "service iptables save" after modifying iptables, or modify etc/sysconfig/iptables directly)
iptables -I INPUT -p tcp --dport 8000 -j ACCEPT
iptables -I INPUT -p tcp --dport 5514 -j ACCEPT
iptables -t nat -A PREROUTING -d MY.IP -p tcp -m tcp --dport 514 -j DNAT --to-destination MY.IP:5514
iptables -t nat -A PREROUTING -d MY.IP -p udp -m udp --dport 514 -j DNAT --to-destination MY.IP:5514
Not sure but it works now. Could have been just going over steps needs to make this work.
BTW: i still don't see syslog "port 514" activity in the metrics.log but it works.
Disable your firewall. And/or add rules to allow UDP/514.
Using tcpdump is a great test, but it is misleading with UDP packets. The libpcap libraries sit in the network stack below iptables. So it is entirely possible that you will see a packet arrive with tcpdump and it will be dropped by iptables before it makes it to the process. And because it's UDP there is no broken session setup to observe.