Getting Data In

How can we configure Splunk to allow access to port 514?

eholz1
Contributor

Hello All,

I am running Splunk 9.0.2 on Oracle 8.6. We monitor Cisco devices.

These devices require using port 514 to forward their syslogs to splunk.

We are running splunk as a non-root user. How can we configure Splunk to allow access to port 514?

eholz1

Labels (1)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

You could try to use linux capabilities to allow for non-root binding to low port. But you shouldn't use that. The way to go is to use an external syslog server and either send the events to HEC or write to files and pick up from there with UF.

eholz1
Contributor

Hello PickleRick,

Thanks for the reply. In our case we want to use the cisco TA Network plugin. We are monitoring only

logs from cisco devices which do not have UF capability. But, I will consider your suggestion.

The NON-root user cannot access any port below 1024 thanks to security features in Splunk and newer Linux distributions.

I will look at reading Cisco logs being sent to our syslog server, reading the cisco logs, perhaps over tcp and using custom outputs.conf on the UF, and custom inputs.conf on the indexer and setting sourcetype to cisco:ios, etc.

Thanks,

eholz1 -

0 Karma

PickleRick
SplunkTrust
SplunkTrust

I'm not saying you should install UF on the cisco devices which you of course cannot do. I'm saying the proper way to receive syslog events is by means of external syslog collector.

"The NON-root user cannot access any port below 1024 thanks to security features in Splunk and newer Linux distributions". And here you are completely mistaken. Firstly it's not "thanks to security features in Splunk" (which has nothing to do with it as it's just a userspace program) "and newer Linux distributions" (because it's a typical limitation back from the early days of unix systems). And secondly, with newer Linux releases you could try to use setcap to grant capability to bind on a low port as a non-root user but people report "limited success" (But I didn't investigate this matter so that might be due to PEBKAC as well as a genuine inability to do that on system level).

And I strongly advise to use external syslog collector - it will come in handy many times in the future.

0 Karma

manjunathmeti
SplunkTrust
SplunkTrust

eholz1
Contributor

Hello manjunathmeti

Thanks for the reply. In our case we want to use the cisco TA Network plugin. We are monitoring only

logs from cisco devices which do not have UF capability. But, I will consider your suggestion.

The NON-root user cannot access any port below 1024 thanks to security features in Splunk and newer Linux distributions.

I will look at the links you provided, to double check. But the base problem is: If we want to send logs direct from the cisco device (routers and switches) the logging feature on the ios on these devices ONLY allows the use of port 514 to send data to splunk. The whole idea here is to leverage the Splunk Cisco TA plugin to search and organized data.

Thanks,

eholz1

 

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...