Getting Data In

Only one syslog shows up on server

slacknetter
New Member

I have a new windows install and I can only get one syslog to show up. Any other devices I direct to send their logs do not show up.

Tags (1)
0 Karma

grijhwani
Motivator

Are your routing tables on the devices generating the syslogs identical?

(PS: If you are using the native Splunk syslog server then you are not using syslog-ng.)

0 Karma

yong_ly
Path Finder

How have you configured your settings? If you are doing it via a data stream, then there are three things that need to be done for it to work.

  1. The syslog servers need to be configured to send data to a specific port on the Splunk machine e.g. TCP/5000
  2. The splunk server needs to be configured to read that port and index the data. This can be found under inputs.
  3. The firewalls between the machines must be configured to allow that data to flow through the TCP/UDP ports. This includes the local windows firewall too.

A quick google search for any of these things will give you the information you need to do that.

Similiar principles apply if you're using a forwarder.. except in step 1, the forwarder reads the syslog and forwards it instead of the machine directly sending it out as a syslog stream.

0 Karma

yong_ly
Path Finder

I assume you've done a trace on both ends to make sure that the syslog data is being sent from the originating servers and being received on the splunk instance??

Is there another syslog daemon running on your splunk instance or another application using that port? If so then it's possible the syslogs coming int your machine are being aggregated into the local syslog..

I would suggest doing a netstat to make sure there's no other applications using that. Or changing to a different port above 1024..

0 Karma

slacknetter
New Member

I have setup a UDP syslog on port 514 on the splunk server and it is receiving data on that port from one device.
the second device is on the same subnet and it is still not showing up
the 3rd device is on the other side of a vpn and all ports and traffic UDP and TCP are allowed. all of my other services on all other devices and servers do not have any issues connecting over this link
firewall on the splunk server is off and there are also rules allowing all connections to udp port 514

0 Karma

slacknetter
New Member

The splunk server is on subnet 192.168.30.x
I added a pfsense at 192.168.30.254 and the logs show up
I try to add a dell switch from 192.168.30.1 and it does not show up
I try to add a pfsense from 192.168.20.254 and it doesn't show up (I assume I need a forwarder for this one?)

0 Karma

jtrucks
Splunk Employee
Splunk Employee

Can you elaborate? It is unclear with what you need help.

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!