Re: Not seeing UDP 514 traffic

ajparagas · ‎10-07-2011

I have configured my syslog-ng.conf file as follows;

#
# This should behave pretty much like the original syslog on RedHat. But
# it could be configured a lot smarter.
#
# See syslog-ng(8) and syslog-ng.conf(5) for more information.
#

options {
        sync (0);
        time_reopen (10);
        log_fifo_size (1000);
        long_hostnames (off);
        use_dns (yes);
        use_fqdn (no);
        create_dirs (no);
        keep_hostname (yes);
};


source s_sys {
        file ("/proc/kmsg" log_prefix("kernel: "));
        unix-stream ("/dev/log");
        internal();
        udp(ip("0.0.0.0") port(514));
};

destination d_cons { file("/dev/console"); };
destination d_mesg { file("/var/log/messages"); };
destination d_auth { file("/var/log/secure"); };
destination d_mail { file("/var/log/maillog" sync(10)); };
destination d_spol { file("/var/log/spooler"); };
destination d_boot { file("/var/log/boot.log"); };
destination d_cron { file("/var/log/cron"); };
destination d_kern { file("/var/log/kern"); };
destination d_mlal { usertty("*"); };

filter f_kernel     { facility(kern); };
filter f_default    { level(info..emerg) and
                        not (facility(mail)
                        or facility(authpriv)
                        or facility(cron)); };
filter f_auth       { facility(authpriv); };
filter f_mail       { facility(mail); };
filter f_emergency  { level(emerg); };
filter f_news       { facility(uucp) or
                        (facility(news)
                        and level(crit..emerg)); };
filter f_boot   { facility(local7); };
filter f_cron   { facility(cron); };

#log { source(s_sys); filter(f_kernel); destination(d_cons); };
log { source(s_sys); filter(f_kernel); destination(d_kern); };
log { source(s_sys); filter(f_default); destination(d_mesg); };
log { source(s_sys); filter(f_auth); destination(d_auth); };
log { source(s_sys); filter(f_mail); destination(d_mail); };
log { source(s_sys); filter(f_emergency); destination(d_mlal); };
log { source(s_sys); filter(f_news); destination(d_spol); };
log { source(s_sys); filter(f_boot); destination(d_boot); };
log { source(s_sys); filter(f_cron); destination(d_cron); };

# vim:ft=syslog-ng:ai:si:ts=4:sw=4:et:



################################################################################

# Filter for cisco default log facility
# Gavin White 2011-10-05
filter f_cisco { facility(local7); };

# Filter for Juniper modified log facility
# NB you must override the default facility on your junos device:
# set system syslog host $host facility-override local6
# Gavin White 2011-10-05
filter f_juniper { facility(local6); };

# Destination for network logging
# Gavin White 2011-10-05
destination d_network { file("/var/log/network"); };

# Log statement for all network logging
# Gavin White 2011-10-05
log { source(s_sys); filter(f_cisco); destination(d_network); };
log { source(s_sys); filter(f_juniper); destination(d_network); };

Drainy · ‎10-10-2011

Have you added port 514 to Splunk as an incoming port? You do this through "Data Inputs" in the manager view.
http://docs.splunk.com/Documentation/Splunk/4.2.3/Data/Configureyourinputs

Also, I would be tempted to change the address of 0.0.0.0 to possibly 127.0.0.1 or your adapter IP address (there may be issues with your host files or if you have multiple adapters on the machine causing confusion)

You also need to make sure that port 514 isn't being blocked by any client or hardware firewall that may be on your machine or network.

Not seeing UDP 514 traffic

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation