Getting Data In

How do I send Cisco Meraki FW logs?

frizzoS3
New Member

I am trying to send logs from Cisco Meraki FW to our Splunk instance. No universal forwarder is on the FW. Can I still have the logs sent to Splunk?...would it be on port 514 or 9997?
Thank you

Tags (2)
0 Karma
1 Solution

rphillips_splk
Splunk Employee
Splunk Employee

@frizzoS3 port 9997 is the default port Splunk receives cooked TCP data on (from another splunk instance , ie: forwarder). Splunk can also receive uncooked (not processed by another Splunk instance) data over TCP or UDP. So if your Meraki appliance is sending syslog data to the Splunk indexer via port 514, then on the Splunk receiver you would need to enable UDP 514 in inputs.conf

inputs.conf
[udp://<remote server>:<port>]

  • Similar to the [tcp://] stanza, except that this stanza causes the Splunk
    instance to listen on a UDP port.

  • Only one stanza per port number is currently supported.

  • Configures the instance to listen on a specific port.

  • If you specify <remote server> , the specified port only accepts data
    from that host.

  • If <remote server> is empty - [udp://] - the port accepts data sent
    from any host.

  • The use of <remote server> is not recommended. Use the 'acceptFrom'
    setting, which supersedes this setting.

  • Generates events with source set to udp:portnumber, for example: udp:514

  • If you do not specify a sourcetype, generates events with sourcetype set
    to udp:portnumber.

ie:
configure on indexer
$SPLUNK_HOME/etc/system/local/inputs.conf
[udp://514]
disabled = 0

View solution in original post

0 Karma

rphillips_splk
Splunk Employee
Splunk Employee

@frizzoS3 port 9997 is the default port Splunk receives cooked TCP data on (from another splunk instance , ie: forwarder). Splunk can also receive uncooked (not processed by another Splunk instance) data over TCP or UDP. So if your Meraki appliance is sending syslog data to the Splunk indexer via port 514, then on the Splunk receiver you would need to enable UDP 514 in inputs.conf

inputs.conf
[udp://<remote server>:<port>]

  • Similar to the [tcp://] stanza, except that this stanza causes the Splunk
    instance to listen on a UDP port.

  • Only one stanza per port number is currently supported.

  • Configures the instance to listen on a specific port.

  • If you specify <remote server> , the specified port only accepts data
    from that host.

  • If <remote server> is empty - [udp://] - the port accepts data sent
    from any host.

  • The use of <remote server> is not recommended. Use the 'acceptFrom'
    setting, which supersedes this setting.

  • Generates events with source set to udp:portnumber, for example: udp:514

  • If you do not specify a sourcetype, generates events with sourcetype set
    to udp:portnumber.

ie:
configure on indexer
$SPLUNK_HOME/etc/system/local/inputs.conf
[udp://514]
disabled = 0

0 Karma

frizzoS3
New Member

Hi
Thank you for the info.
Would I need to restart the indexer after updating the file?

0 Karma

frizzoS3
New Member

Thank you for the info...greatly appreciated.

0 Karma

frizzoS3
New Member

Good Morning

I am currently not seeing any Sys logs coming from the FW...should I enable the following command?

splunk enable listen -auth :

This is the config on the inputs.conf file....
[udp://514]
disable = 0

Thank you

Frank

Thank you.

0 Karma

rphillips_splk
Splunk Employee
Splunk Employee

yes the indexer would need a restart
$SPLUNK_HOME/bin
./splunk restart

0 Karma

frizzoS3
New Member

HI
Thank you for that.
Would I need to restart the indexer after updating the inputs file?

0 Karma
Get Updates on the Splunk Community!

Get ready to show some Splunk Certification swagger at .conf24!

Dive into the deep end of data by earning a Splunk Certification at .conf24. We're enticing you again this ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Now On-Demand Join us to learn more about how you can leverage Service Level Objectives (SLOs) and the new ...

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...