Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Parameter name: TCP port x is not available.

asbetsplunk
Explorer
‎12-29-2015 11:48 PM

I am using the Splunk Enterprise appliance from the AWS marketplace.

I would likely simply send syslogs from network devices directly to Splunk in my test environment. I understand that the best practice is to send syslogs to yet another syslog-ng server and have Splunk read the logs from there.

Doing the ubiquitous Google searches I am seeing that it is likely that this error is generated because the splunk daemon is not running as root; In *nix environments apparently only root can bind services on ports 1024 and below.

When I ssh into the instance and run ps -U splunk I can see that splunkd is run under the instance's splunk account so I'm assuming that that confirms the issue.

Since this is an appliance and there probably shouldn't be any fiddling around on the internals, is there a proper way to make this work?

Seems like this should be simple to do...

Tags (1)
Reply

rogue_carrot
Communicator
‎06-02-2018 11:54 AM

I have a similar problem. Only I am trying to capture packets on TCP port 51000. This port is well above 1024 and still I receive the error you have. 😕 What gives?

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎06-02-2018 02:00 PM

What is your setup/architecture @rogue_carrot

0 Karma
Reply

rogue_carrot
Communicator
‎06-03-2018 09:57 PM

Very simple architecture. Just one Splunk enterprise indexer where I am trying to log data from the host operating system. In this situation I am trying to capture packets as if Splunk is Wireshark. I was able to craft some UDP packets and search those in Splunk. 🙂

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎12-30-2015 12:03 PM

You have options.

A. run splunk as root (not recommended but people do it)
B. setup syslog-ng to receive on port 514 (run it as root), and set it send to port 9514 - anything over 1024 will do) 

source s_tcp {tcp(port(514) flags(no-parse));};
destination d1 {tcp(port(9514));};
log {source(s_tcp):destination(d1);};

C. setup syslog-ng to receive on port 514 (run it as root), and set it to write to directory and monitor the directory with universal forwarder, etc.

source s_tcp{tcp(port(514) flags(no-parse));};
destination d1 {file("/opt/data/${DAY}_${MONTH}_${YEAR}.log");};
log {source(s_tcp):destination(d1);};

D. Setup network load balancer / firewall port translation from port 514 -> desired port. (note that haproxy and ELBs will not load balance udp)

Looks like you're doing TCP instead so I changed my answer

Reply

jkat54
SplunkTrust
SplunkTrust
‎01-03-2016 05:50 AM

If the answer solved you problem, please mark it as the answer.

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...