Re: Splunk 9.0.2 - Oracle Linux 8.6

eholz1 · ‎01-23-2023

Hello All,

I am running Splunk 9.0.2 on Oracle 8.6. We monitor Cisco devices.

These devices require using port 514 to forward their syslogs to splunk.

We are running splunk as a non-root user. How can we configure Splunk to allow access to port 514?

eholz1

PickleRick · ‎01-23-2023

You could try to use linux capabilities to allow for non-root binding to low port. But you shouldn't use that. The way to go is to use an external syslog server and either send the events to HEC or write to files and pick up from there with UF.

eholz1 · ‎01-24-2023

Hello PickleRick,

Thanks for the reply. In our case we want to use the cisco TA Network plugin. We are monitoring only

logs from cisco devices which do not have UF capability. But, I will consider your suggestion.

The NON-root user cannot access any port below 1024 thanks to security features in Splunk and newer Linux distributions.

I will look at reading Cisco logs being sent to our syslog server, reading the cisco logs, perhaps over tcp and using custom outputs.conf on the UF, and custom inputs.conf on the indexer and setting sourcetype to cisco:ios, etc.

Thanks,

eholz1 -

PickleRick · ‎01-24-2023

I'm not saying you should install UF on the cisco devices which you of course cannot do. I'm saying the proper way to receive syslog events is by means of external syslog collector.

"The NON-root user cannot access any port below 1024 thanks to security features in Splunk and newer Linux distributions". And here you are completely mistaken. Firstly it's not "thanks to security features in Splunk" (which has nothing to do with it as it's just a userspace program) "and newer Linux distributions" (because it's a typical limitation back from the early days of unix systems). And secondly, with newer Linux releases you could try to use setcap to grant capability to bind on a low port as a non-root user but people report "limited success" (But I didn't investigate this matter so that might be due to PEBKAC as well as a genuine inability to do that on system level).

And I strongly advise to use external syslog collector - it will come in handy many times in the future.

manjunathmeti · ‎01-23-2023

hi @eholz1,

You can configure network inputs, You can do it using inputs.conf or using UI.
Check these links.

https://docs.splunk.com/Documentation/SplunkCloud/latest/Data/Monitornetworkports#Configure_a_UDP_ne...

https://docs.splunk.com/Documentation/Splunk/9.0.3/Admin/Inputsconf#UDP_.28User_Datagram_Protocol_ne...

eholz1 · ‎01-24-2023

Hello manjunathmeti

Thanks for the reply. In our case we want to use the cisco TA Network plugin. We are monitoring only

logs from cisco devices which do not have UF capability. But, I will consider your suggestion.

The NON-root user cannot access any port below 1024 thanks to security features in Splunk and newer Linux distributions.

I will look at the links you provided, to double check. But the base problem is: If we want to send logs direct from the cisco device (routers and switches) the logging feature on the ios on these devices ONLY allows the use of port 514 to send data to splunk. The whole idea here is to leverage the Splunk Cisco TA plugin to search and organized data.

Thanks,

eholz1

How can we configure Splunk to allow access to port 514?

universal forwarder

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!