Getting Data In

Install not working #2

New Member

Sorry for the new post, but the system seems to not let me add in comments on the original one.

Ok so I have now rebuilt my production machine a second time with Debian 6.0.6 and Splunk 5.0.2. I have configured my ASA5510 to send Syslog data through TCP/1470 (originally done for test machine and it worked). I have configured Splunk to accept Syslog data through TCP/1470 but again no data is coming in. I have checked the Netstat in Debian and the following is reported
Protocol – TCP, IP Source – 0.0.0.0, Port/Service – 1470, Status – Listen

Can somebody tell me if this is the proper configuration? I assume it is because I have done nothing different with respect to the Debian install between the original test box and the production box. The only difference I can see in the two is that the test box was using Splunk 5.0.1.
I am not overly familiar with Linux and Splunk so any help would be appreciated.

0 Karma

Splunk Employee
Splunk Employee

I doubt if anyone is paying attention to this question anymore, but just in case:

To disable iptables run:

/etc/init.d/iptables stop

and then run your tcpdump command again. You should see traffic coming in. If not, then there's probably some external firewall blocking traffic.

If you do see traffic, then the host firewall (iptables) was the problem. You'll either need to configure it to allow the traffic through (Debian iptables document), or leave it off (document for update-rc.d).

Hope that helps!

0 Karma

Splunk Employee
Splunk Employee

disable iptables to check.

0 Karma

New Member

OK, I installed TCPDUMP and ran the command suggested, and no traffic is showing up.

How do I check the firewall settings in Linux?

0 Karma

Influencer

/usr/sbin/tcpdump -i any port 1470

If you dont have tcpdump installed. you probably need to.

Unless the asa and splunk server are on the same network, firewalls / routing could very well be the problem. If running tcpdump shows no traffic, thats what i'd look into 1st

0 Karma

New Member

So where do I run tcpdump from? I opened a cli in Debian and it says command not found.

Again I am not familiar with Linux, Splunk, of the ASA's for that matter. I am a 1 man shop and I have enough things to learn and work on. I saw Splunk listed as a good logging software and the test box i setup worked just fine, but now with a production box in place nothing is working and I have NO clue why.

0 Karma

Legend

If you run tcpdump for traffic on port 1470 do you see any traffic actually coming in?

0 Karma