Sorry for the new post, but the system seems to not let me add in comments on the original one.
Ok so I have now rebuilt my production machine a second time with Debian 6.0.6 and Splunk 5.0.2. I have configured my ASA5510 to send Syslog data through TCP/1470 (originally done for test machine and it worked). I have configured Splunk to accept Syslog data through TCP/1470 but again no data is coming in. I have checked the Netstat in Debian and the following is reported
Protocol – TCP, IP Source – 0.0.0.0, Port/Service – 1470, Status – Listen
Can somebody tell me if this is the proper configuration? I assume it is because I have done nothing different with respect to the Debian install between the original test box and the production box. The only difference I can see in the two is that the test box was using Splunk 5.0.1.
I am not overly familiar with Linux and Splunk so any help would be appreciated.
I doubt if anyone is paying attention to this question anymore, but just in case:
To disable iptables run:
and then run your tcpdump command again. You should see traffic coming in. If not, then there's probably some external firewall blocking traffic.
If you do see traffic, then the host firewall (iptables) was the problem. You'll either need to configure it to allow the traffic through (Debian iptables document), or leave it off (document for update-rc.d).
Hope that helps!
/usr/sbin/tcpdump -i any port 1470
If you dont have tcpdump installed. you probably need to.
Unless the asa and splunk server are on the same network, firewalls / routing could very well be the problem. If running tcpdump shows no traffic, thats what i'd look into 1st
So where do I run tcpdump from? I opened a cli in Debian and it says command not found.
Again I am not familiar with Linux, Splunk, of the ASA's for that matter. I am a 1 man shop and I have enough things to learn and work on. I saw Splunk listed as a good logging software and the test box i setup worked just fine, but now with a production box in place nothing is working and I have NO clue why.