Getting Data In
Highlighted

How to configure a monitor to accept connections from tcp 514

Engager

I am attempting to setup the Cisco ESA app and on configuring the inputs.conf file I have [monitor://\mail_logs\mail.@20130712T172736.s] per instructions however, I need to ensure the app is listening to tcp port 514. Where can I set that?

0 Karma
Highlighted

Re: How to configure a monitor to accept connections from tcp 514

Builder

For a Heavy Forwarder, usually it's recommended to collect data using something like syslog-ng or rsyslog. You can however setup a tcp or udp input directly using inputs.conf file. See the following Splunk Documentation:

http://docs.splunk.com/Documentation/Splunk/latest/Data/Monitornetworkports

0 Karma
Highlighted

Re: How to configure a monitor to accept connections from tcp 514

Engager

For the location of the monitor then would I place it under source? For ex:
[tcp://:514]
source = \mail_logs\mail.@20130712T172736.s

0 Karma
Highlighted

Re: How to configure a monitor to accept connections from tcp 514

Builder

You're actually going to need to configure two different inputs here. 1 is for textmail and http logs. The other is for authentication logs.

http://docs.splunk.com/Documentation/AddOns/latest/CiscoESA/ConfigureCiscoESA

For Textmail and HTTP Logs

I would highly recommend following the app instructions as they're laid out pretty nicely. For setting up Splunk to listen on a specific port, you'll want to use the following document http://docs.splunk.com/Documentation/Splunk/latest/Data/Monitornetworkports#Go_to_the_Add_New_page

For authentication logs

You'll want to use a monitor stanza, but you're going to want to monitor the paths to the files that you are receiving from your ESA administrator. If those are the same as you described above, than that monitor stanza should work.

In a file called inputs.conf in $SPLUNKHOME/etc/apps/SplunkTA_cisco-esa/local you'll have something like

[monitor://\authentication.@20130302T122552.s]
sourcetype = cisco:esa:authentication

0 Karma
Highlighted

Re: How to configure a monitor to accept connections from tcp 514

Engager

I am not able to add data inputs via splunkweb on the heavy forwarder. I need to do it via inputs.conf and the user needs to be able to send data via tcp 514 and not udp. Unfortunately the instructions only mention the monitor portion but not if the port is different.

0 Karma
Highlighted

Re: How to configure a monitor to accept connections from tcp 514

Builder

Ah I see, sorry about that.

So your input should be fairly straight forward

 [tcp://514]
 sourcetype=cisco:esa:http

One thing to note is that if you aren't running Splunk as root, than on many Unix Operating Systems, Splunk won't be able to listen on port 514. You would simply just need to change your input stanza to be a different port and configure your ESA to send to that different port. For example

 [tcp://5140]
 sourcetype=cisco:esa:http
0 Karma
Highlighted

Re: How to configure a monitor to accept connections from tcp 514

Engager

Thank You for your response. We have other hosts that are going to port 514. I ve put this into inputs.conf
[tcp://hostname:514]
source = \mail_logs\mail.@20130712T172736.s
sourcetype = cisco:esa:textmail
index = ironport

Do you happen to know if this would work to collect logs from a particular host going to 514?

0 Karma
Highlighted

Re: How to configure a monitor to accept connections from tcp 514

Builder

So in the case of [tcp://:514] as an example:

If you specify , the specified port only accepts data from that host.
If you specify nothing for - [udp://] - the port accepts data sent from any host.

0 Karma