- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Only one syslog shows up on server
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Only one syslog shows up on server
I have a new windows install and I can only get one syslog to show up. Any other devices I direct to send their logs do not show up.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are your routing tables on the devices generating the syslogs identical?
(PS: If you are using the native Splunk syslog server then you are not using syslog-ng.)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How have you configured your settings? If you are doing it via a data stream, then there are three things that need to be done for it to work.
- The syslog servers need to be configured to send data to a specific port on the Splunk machine e.g. TCP/5000
- The splunk server needs to be configured to read that port and index the data. This can be found under inputs.
- The firewalls between the machines must be configured to allow that data to flow through the TCP/UDP ports. This includes the local windows firewall too.
A quick google search for any of these things will give you the information you need to do that.
Similiar principles apply if you're using a forwarder.. except in step 1, the forwarder reads the syslog and forwards it instead of the machine directly sending it out as a syslog stream.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I assume you've done a trace on both ends to make sure that the syslog data is being sent from the originating servers and being received on the splunk instance??
Is there another syslog daemon running on your splunk instance or another application using that port? If so then it's possible the syslogs coming int your machine are being aggregated into the local syslog..
I would suggest doing a netstat to make sure there's no other applications using that. Or changing to a different port above 1024..
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have setup a UDP syslog on port 514 on the splunk server and it is receiving data on that port from one device.
the second device is on the same subnet and it is still not showing up
the 3rd device is on the other side of a vpn and all ports and traffic UDP and TCP are allowed. all of my other services on all other devices and servers do not have any issues connecting over this link
firewall on the splunk server is off and there are also rules allowing all connections to udp port 514
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The splunk server is on subnet 192.168.30.x
I added a pfsense at 192.168.30.254 and the logs show up
I try to add a dell switch from 192.168.30.1 and it does not show up
I try to add a pfsense from 192.168.20.254 and it doesn't show up (I assume I need a forwarder for this one?)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you elaborate? It is unclear with what you need help.
Jesse Trucks
Minister of Magic
Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!
Logs to Metrics
Developer Spotlight with Paul Stout
