Getting Data In

Linux Syslogd Config

Communicator

This is not a splunk specific question however it is very related and involves config of syslog on a linux host that will NOT send to my splunk server.

I have a linux server running syslogd ver 1.4.1 and I have added a line to the syslog.conf file that has . @192.168.1.1:64514
(I use port 64514 due to a port conflict but it works). Keep in mind I have this working on other hosts.

When I trigger an event I get nothing on Splunk. If I run a packet capture on the host I do not even see the packets attempting to leave. However, if I remove the port number (64514), I do see traffic leaving on port 514.

Can anyone help with this problem?

Tags (2)
0 Karma

New Member

Hi Frnd,

See here you have just mentioned the ipaddress of the other host in the syslog.conf file in which where your all logs that listening to the port 514 to be forwarded tell me that have you installed and configured the splunk on the 192.168.1.1 server?.

inform me whether above my comments gave you an idea.

Regards,
Aravinth

0 Karma

Communicator

If this is close to the man page for your syslogd, it may not have support for logging to an alternate port: http://linux.die.net/man/8/syslogd

I can recommend rsyslog as a very flexible alternative.

0 Karma

Communicator

Thanks for that. I had "suspected" this was the case but could not see it documented but it does explain why it does not work. I'll go with rsyslog.

Thanks

0 Karma

Communicator

Yes I am able to get a connection to the ip:port combination.

0 Karma

Splunk Employee
Splunk Employee

Can you check if you are able to connect to the ip port? You can do 'telnet 192.168.1.1 64514' or 'echo "test" | nc 192.168.1.1 64154'.

0 Karma

Communicator

I have now checked and no, the port is not being used.

0 Karma

Super Champion

Did you check netstat to see if the port you are trying to use is already in use?

0 Karma