Getting Data In

How to receive syslog from QNAP

05500
New Member

Setting on QNAP is just 4 below.

1 enable syslog
2 configure destination (splunk) server IP address
3 UDP port: 514
4 Log type: system event log

Then, how can I set up on splunk server?
Receive syslog by UDP port: 514? But I cannot receive syslog.
Source type made mistakes?
Is there original source type for QNAP?

Tags (2)
0 Karma

jrodman
Splunk Employee
Splunk Employee

It would be helpful to specify what QNAP is. Some quick googling suggests it is a cloud storage service. If this is the case then the first question would be: Are you certain udp packets from the cloud service will reach your splunk system? It's commonplace to not allow such traffic into corporate networks from the outside.

If you need to learn how to use splunk search, refer to the Splunk documentation on searching. A very broad search for all indexes over all time for some keyword you know to be present should quickly determine whether the data is arriving at all. At this point I would suggest engaging network expertise to determine whether the packets are reaching the splunk-installed system, and if so, to validate that the firewall on that system is allowing them in.

0 Karma

lmyrefelt
Builder

Hi,

You go to "Settings > Data Inputs " , there you find UDP under 'local inputs', "choose UDP > New" .
In the next sections; fill in port; 514 , you can skip the source-name and bind to options.
In the next section, choose an source type, like qnap-syslog or something descriptive ... and choose your index ; qnap (if you have created such an index)

If you run Splunk on linux, your OS-user might now have the permission to open up a port under 1024.

Still confused ? The docs are quit good nowadays and will bring you clarity ;

http://docs.splunk.com/Documentation/Splunk/latest/Data/Monitornetworkports

0 Karma

05500
New Member

Thank you for your answer.

I don't know how to search source type for QNAP and want to know detailed source type.
Anyway I have challenged 'qnap-syslog' or 'qnap_syslog', but we can't receive syslog for QNAP.

Somebody, please let us know if you know procedure or tried as this experience for QNAP.

0 Karma

lmyrefelt
Builder

No there is no "default / standard" source type for Qnap (maybe the "regular" syslog?)

Well the source type in this case can be whatever you want it to be, as well as for the index. The important thing is that you have a clear communications path between your devices. If your qnap is hosted of site, you might need to open a couple of ports in the firewall for it to be able to send data to splunk.

In short terms, create an index in splunk (qnap) , create an new udp input (port:10514) assign this new input a source type ('qnap-syslog') and also assign this input an index (qnap) .
Now configure your Qnap to send its syslog to splunk:10514 .
In Splunk search issue; index=qnap .
Make sure your index is in searchable by your user.

Make sure there is no firewalls in between.

The docs WILL help you. (take your time to read them)

0 Karma

ppablo
Retired

Hi @05500

I don't know much about QNAP, but this previous Answers post and blog might give you some ideas about receiving syslog data in Splunk:
http://answers.splunk.com/answers/144357/why-is-syslog-right-into-splunk-so-bad-wrong.html
http://www.georgestarcher.com/splunk-success-with-syslog/

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...