Getting Data In
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Linux Syslogd Config

balcv
Contributor
‎10-03-2013 05:18 PM

This is not a splunk specific question however it is very related and involves config of syslog on a linux host that will NOT send to my splunk server.

I have a linux server running syslogd ver 1.4.1 and I have added a line to the syslog.conf file that has . @192.168.1.1:64514
(I use port 64514 due to a port conflict but it works). Keep in mind I have this working on other hosts.

When I trigger an event I get nothing on Splunk. If I run a packet capture on the host I do not even see the packets attempting to leave. However, if I remove the port number (64514), I do see traffic leaving on port 514.

Can anyone help with this problem?

Tags (2)
0 Karma
Reply

aravm8
New Member
‎11-01-2013 09:35 AM

Hi Frnd,

See here you have just mentioned the ipaddress of the other host in the syslog.conf file in which where your all logs that listening to the port 514 to be forwarded tell me that have you installed and configured the splunk on the 192.168.1.1 server?.

inform me whether above my comments gave you an idea.

Regards,
Aravinth

0 Karma
Reply

jspears
Communicator
‎10-06-2013 11:35 AM

If this is close to the man page for your syslogd, it may not have support for logging to an alternate port: http://linux.die.net/man/8/syslogd

I can recommend rsyslog as a very flexible alternative.

0 Karma
Reply

balcv
Contributor
‎10-06-2013 03:02 PM

Thanks for that. I had "suspected" this was the case but could not see it documented but it does explain why it does not work. I'll go with rsyslog.

Thanks

0 Karma
Reply

balcv
Contributor
‎10-03-2013 07:23 PM

Yes I am able to get a connection to the ip:port combination.

0 Karma
Reply

jkerai
Splunk Employee
Splunk Employee
‎10-03-2013 07:05 PM

Can you check if you are able to connect to the ip port? You can do 'telnet 192.168.1.1 64514' or 'echo "test" | nc 192.168.1.1 64154'.

0 Karma
Reply

balcv
Contributor
‎10-03-2013 05:40 PM

I have now checked and no, the port is not being used.

0 Karma
Reply

lukejadamec
Super Champion
‎10-03-2013 05:29 PM

Did you check netstat to see if the port you are trying to use is already in use?

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
Top