Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Juniper SRX 380

abeaulieu
Splunk Employee
Splunk Employee
‎10-20-2021 06:10 AM

Hi all, asking for a friend.

I have a Juniper SRX380 for my firewall, and I am trying to bring data into Splunk on-prem. On the Juniper side, I configured to send to Splunk using the CLI with these commands (below), then committed the configuration:

set security log mode stream

set security log source-address <SRXip>

set security log stream Splunk format sd-syslog

set security log stream Splunk host <splunkhostIP>

set system syslog host <splunkhostIP> port 1514

One the Splunk side, I configured a UDP listener on port 1514, and gave it the optional "Select from connection", and plopped the SRXip there. I set the source type to be "juniper" from the Juniper-TA.

I used wireshark to do a pcap analysis, and noticed that the SRX wasn't communicating with Splunk, I have a hunch that its a Juniper issue, but I'm not a Juniper expert.

Problem is that no data is still coming in.  Is there something wrong that I did on either the Juniper side or the Splunk side? Also, I made sure UDP port 1514 was opened. Any trouble shooting tips would be appreciated.

Labels (2)
Labels
0 Karma
Reply

Chef
Explorer
‎10-20-2021 04:00 PM

Hi abeaulieu,

If the traffic isn't even reaching Splunk the only thing I can think to check is the routing table on your Juniper firewall. It's possible a static route isn't configured for the Splunk server so it's sending syslog data down the wrong path.

You could also try opening TCP 1514 as well and attempting to telnet from the firewall to your Splunk system on that port. If the telnet succeeds you know the network is ok and the problem is with the Juniper firewall sending the syslog data (do you have to commit the changes?).

Hope this helps!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

Data Management Digest – May 2026

Welcome to the May 2026 edition of Data Management Digest!   As your trusted partner in data innovation, the ...