Getting Data In

How can we configure Splunk to allow access to port 514?

eholz1
Communicator

Hello All,

I am running Splunk 9.0.2 on Oracle 8.6. We monitor Cisco devices.

These devices require using port 514 to forward their syslogs to splunk.

We are running splunk as a non-root user. How can we configure Splunk to allow access to port 514?

eholz1

Labels (1)
0 Karma

PickleRick
Ultra Champion

You could try to use linux capabilities to allow for non-root binding to low port. But you shouldn't use that. The way to go is to use an external syslog server and either send the events to HEC or write to files and pick up from there with UF.

eholz1
Communicator

Hello PickleRick,

Thanks for the reply. In our case we want to use the cisco TA Network plugin. We are monitoring only

logs from cisco devices which do not have UF capability. But, I will consider your suggestion.

The NON-root user cannot access any port below 1024 thanks to security features in Splunk and newer Linux distributions.

I will look at reading Cisco logs being sent to our syslog server, reading the cisco logs, perhaps over tcp and using custom outputs.conf on the UF, and custom inputs.conf on the indexer and setting sourcetype to cisco:ios, etc.

Thanks,

eholz1 -

0 Karma

PickleRick
Ultra Champion

I'm not saying you should install UF on the cisco devices which you of course cannot do. I'm saying the proper way to receive syslog events is by means of external syslog collector.

"The NON-root user cannot access any port below 1024 thanks to security features in Splunk and newer Linux distributions". And here you are completely mistaken. Firstly it's not "thanks to security features in Splunk" (which has nothing to do with it as it's just a userspace program) "and newer Linux distributions" (because it's a typical limitation back from the early days of unix systems). And secondly, with newer Linux releases you could try to use setcap to grant capability to bind on a low port as a non-root user but people report "limited success" (But I didn't investigate this matter so that might be due to PEBKAC as well as a genuine inability to do that on system level).

And I strongly advise to use external syslog collector - it will come in handy many times in the future.

0 Karma

eholz1
Communicator

Hello manjunathmeti

Thanks for the reply. In our case we want to use the cisco TA Network plugin. We are monitoring only

logs from cisco devices which do not have UF capability. But, I will consider your suggestion.

The NON-root user cannot access any port below 1024 thanks to security features in Splunk and newer Linux distributions.

I will look at the links you provided, to double check. But the base problem is: If we want to send logs direct from the cisco device (routers and switches) the logging feature on the ios on these devices ONLY allows the use of port 514 to send data to splunk. The whole idea here is to leverage the Splunk Cisco TA plugin to search and organized data.

Thanks,

eholz1

 

0 Karma
Get Updates on the Splunk Community!

New Splunk Observability innovations: Deeper visibility and smarter alerting to ...

You asked, we delivered. Splunk Observability Cloud has several new innovations giving you deeper visibility ...

Synthetic Monitoring: Not your Grandma’s Polyester! Tech Talk: DevOps Edition

Register today and join TekStream on Tuesday, February 28 at 11am PT/2pm ET for a demonstration of Splunk ...

Instrumenting Java Websocket Messaging

Instrumenting Java Websocket MessagingThis article is a code-based discussion of passing OpenTelemetry trace ...