Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I receive syslog (udp/514) events with a non-root splunkd?

dwaddle
SplunkTrust
SplunkTrust
‎08-27-2010 01:15 AM

The operating system won't allow a non-root user to bind to ports < 1024. How can I get my splunkd, running as user splunk, to receive events that were previously going to my syslogd at UDP port 514?

Tags (3)
Reply
1 Solution
Solved! Jump to solution
Solution

dwaddle
SplunkTrust
SplunkTrust
‎08-27-2010 01:18 AM

This is a little hackish, but it does work with Splunk on linux. You can configure Splunk to listen on a > 1024 port and use Linux's iptables to do port redirection.

For example, configure in inputs.conf: [udp:2514]

And put into your iptables config:

iptables -t nat -A PREROUTING -p udp --dport 514 -j REDIRECT --to-port 2514

The only caveat is that this doesn't work with network traffic sourced at the local machine to port 514 on that same machine. But, this should be an acceptable workaround as most 'local' syslog stuff goes to a file, or through a UNIX domain socket like /dev/log.

View solution in original post

Reply
Solved! Jump to solution

pde
Path Finder
‎08-27-2010 05:44 PM

If you're lucky enough to be running Solaris, it's not the least hackish. Just start splunk via the SMF and add the net_privaddr privilege to your manifest:

 <method_credential group='splunk' limit_privileges=':default' privileges='basic,file_dac_read,net_privaddr' supp_groups=':default' user='splunk'/>
Reply
Solved! Jump to solution
Solution

dwaddle
SplunkTrust
SplunkTrust
‎08-27-2010 01:18 AM

This is a little hackish, but it does work with Splunk on linux. You can configure Splunk to listen on a > 1024 port and use Linux's iptables to do port redirection.

For example, configure in inputs.conf: [udp:2514]

And put into your iptables config:

iptables -t nat -A PREROUTING -p udp --dport 514 -j REDIRECT --to-port 2514

The only caveat is that this doesn't work with network traffic sourced at the local machine to port 514 on that same machine. But, this should be an acceptable workaround as most 'local' syslog stuff goes to a file, or through a UNIX domain socket like /dev/log.

Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...