Getting Data In

How can we configure Splunk to allow access to port 514?

eholz1
Communicator

Hello All,

I am running Splunk 9.0.2 on Oracle 8.6. We monitor Cisco devices.

These devices require using port 514 to forward their syslogs to splunk.

We are running splunk as a non-root user. How can we configure Splunk to allow access to port 514?

eholz1

Labels (1)
0 Karma

PickleRick
Ultra Champion

You could try to use linux capabilities to allow for non-root binding to low port. But you shouldn't use that. The way to go is to use an external syslog server and either send the events to HEC or write to files and pick up from there with UF.

eholz1
Communicator

Hello PickleRick,

Thanks for the reply. In our case we want to use the cisco TA Network plugin. We are monitoring only

logs from cisco devices which do not have UF capability. But, I will consider your suggestion.

The NON-root user cannot access any port below 1024 thanks to security features in Splunk and newer Linux distributions.

I will look at reading Cisco logs being sent to our syslog server, reading the cisco logs, perhaps over tcp and using custom outputs.conf on the UF, and custom inputs.conf on the indexer and setting sourcetype to cisco:ios, etc.

Thanks,

eholz1 -

0 Karma

PickleRick
Ultra Champion

I'm not saying you should install UF on the cisco devices which you of course cannot do. I'm saying the proper way to receive syslog events is by means of external syslog collector.

"The NON-root user cannot access any port below 1024 thanks to security features in Splunk and newer Linux distributions". And here you are completely mistaken. Firstly it's not "thanks to security features in Splunk" (which has nothing to do with it as it's just a userspace program) "and newer Linux distributions" (because it's a typical limitation back from the early days of unix systems). And secondly, with newer Linux releases you could try to use setcap to grant capability to bind on a low port as a non-root user but people report "limited success" (But I didn't investigate this matter so that might be due to PEBKAC as well as a genuine inability to do that on system level).

And I strongly advise to use external syslog collector - it will come in handy many times in the future.

0 Karma

eholz1
Communicator

Hello manjunathmeti

Thanks for the reply. In our case we want to use the cisco TA Network plugin. We are monitoring only

logs from cisco devices which do not have UF capability. But, I will consider your suggestion.

The NON-root user cannot access any port below 1024 thanks to security features in Splunk and newer Linux distributions.

I will look at the links you provided, to double check. But the base problem is: If we want to send logs direct from the cisco device (routers and switches) the logging feature on the ios on these devices ONLY allows the use of port 514 to send data to splunk. The whole idea here is to leverage the Splunk Cisco TA plugin to search and organized data.

Thanks,

eholz1

 

0 Karma
Get Updates on the Splunk Community!

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...

Security Highlights | January 2023 Newsletter

January 2023 Splunk Security Essentials (SSE) 3.7.0 ReleaseThe free Splunk Security Essentials (SSE) 3.7.0 app ...