Getting Data In
Highlighted

How can I receive syslog (udp/514) events with a non-root splunkd?

SplunkTrust
SplunkTrust

The operating system won't allow a non-root user to bind to ports < 1024. How can I get my splunkd, running as user splunk, to receive events that were previously going to my syslogd at UDP port 514?

Tags (3)
Highlighted

Re: How can I receive syslog (udp/514) events with a non-root splunkd?

SplunkTrust
SplunkTrust

This is a little hackish, but it does work with Splunk on linux. You can configure Splunk to listen on a > 1024 port and use Linux's iptables to do port redirection.

For example, configure in inputs.conf: [udp:2514]

And put into your iptables config:

iptables -t nat -A PREROUTING -p udp --dport 514 -j REDIRECT --to-port 2514

The only caveat is that this doesn't work with network traffic sourced at the local machine to port 514 on that same machine. But, this should be an acceptable workaround as most 'local' syslog stuff goes to a file, or through a UNIX domain socket like /dev/log.

View solution in original post

Highlighted

Re: How can I receive syslog (udp/514) events with a non-root splunkd?

Path Finder

If you're lucky enough to be running Solaris, it's not the least hackish. Just start splunk via the SMF and add the net_privaddr privilege to your manifest:

 <method_credential group='splunk' limit_privileges=':default' privileges='basic,file_dac_read,net_privaddr' supp_groups=':default' user='splunk'/>