Getting Data In

How can we configure Splunk to allow access to port 514?

eholz1
Contributor

Hello All,

I am running Splunk 9.0.2 on Oracle 8.6. We monitor Cisco devices.

These devices require using port 514 to forward their syslogs to splunk.

We are running splunk as a non-root user. How can we configure Splunk to allow access to port 514?

eholz1

Labels (1)
0 Karma

PickleRick
Ultra Champion

You could try to use linux capabilities to allow for non-root binding to low port. But you shouldn't use that. The way to go is to use an external syslog server and either send the events to HEC or write to files and pick up from there with UF.

eholz1
Contributor

Hello PickleRick,

Thanks for the reply. In our case we want to use the cisco TA Network plugin. We are monitoring only

logs from cisco devices which do not have UF capability. But, I will consider your suggestion.

The NON-root user cannot access any port below 1024 thanks to security features in Splunk and newer Linux distributions.

I will look at reading Cisco logs being sent to our syslog server, reading the cisco logs, perhaps over tcp and using custom outputs.conf on the UF, and custom inputs.conf on the indexer and setting sourcetype to cisco:ios, etc.

Thanks,

eholz1 -

0 Karma

PickleRick
Ultra Champion

I'm not saying you should install UF on the cisco devices which you of course cannot do. I'm saying the proper way to receive syslog events is by means of external syslog collector.

"The NON-root user cannot access any port below 1024 thanks to security features in Splunk and newer Linux distributions". And here you are completely mistaken. Firstly it's not "thanks to security features in Splunk" (which has nothing to do with it as it's just a userspace program) "and newer Linux distributions" (because it's a typical limitation back from the early days of unix systems). And secondly, with newer Linux releases you could try to use setcap to grant capability to bind on a low port as a non-root user but people report "limited success" (But I didn't investigate this matter so that might be due to PEBKAC as well as a genuine inability to do that on system level).

And I strongly advise to use external syslog collector - it will come in handy many times in the future.

0 Karma

manjunathmeti
SplunkTrust
SplunkTrust

eholz1
Contributor

Hello manjunathmeti

Thanks for the reply. In our case we want to use the cisco TA Network plugin. We are monitoring only

logs from cisco devices which do not have UF capability. But, I will consider your suggestion.

The NON-root user cannot access any port below 1024 thanks to security features in Splunk and newer Linux distributions.

I will look at the links you provided, to double check. But the base problem is: If we want to send logs direct from the cisco device (routers and switches) the logging feature on the ios on these devices ONLY allows the use of port 514 to send data to splunk. The whole idea here is to leverage the Splunk Cisco TA plugin to search and organized data.

Thanks,

eholz1

 

0 Karma
Get Updates on the Splunk Community!

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Help us learn about how Splunk has impacted your career by taking the 2021 Splunk Career Survey. Last year’s ...

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

Observability Newsletter Highlights | March 2023

 March 2023 | Check out the latest and greatestSplunk APM's New Tag Filter ExperienceSplunk APM has updated ...