I am using the Splunk Enterprise appliance from the AWS marketplace.
I would likely simply send syslogs from network devices directly to Splunk in my test environment. I understand that the best practice is to send syslogs to yet another syslog-ng server and have Splunk read the logs from there.
Doing the ubiquitous Google searches I am seeing that it is likely that this error is generated because the splunk daemon is not running as root; In *nix environments apparently only root can bind services on ports 1024 and below.
When I ssh into the instance and run ps -U splunk
I can see that splunkd is run under the instance's splunk account so I'm assuming that that confirms the issue.
Since this is an appliance and there probably shouldn't be any fiddling around on the internals, is there a proper way to make this work?
Seems like this should be simple to do...
I have a similar problem. Only I am trying to capture packets on TCP port 51000. This port is well above 1024 and still I receive the error you have. 😕 What gives?
What is your setup/architecture @rogue_carrot
Very simple architecture. Just one Splunk enterprise indexer where I am trying to log data from the host operating system. In this situation I am trying to capture packets as if Splunk is Wireshark. I was able to craft some UDP packets and search those in Splunk. 🙂
You have options.
A. run splunk as root (not recommended but people do it)
B. setup syslog-ng to receive on port 514 (run it as root), and set it send to port 9514 - anything over 1024 will do)
source s_tcp {tcp(port(514) flags(no-parse));};
destination d1 {tcp(port(9514));};
log {source(s_tcp):destination(d1);};
C. setup syslog-ng to receive on port 514 (run it as root), and set it to write to directory and monitor the directory with universal forwarder, etc.
source s_tcp{tcp(port(514) flags(no-parse));};
destination d1 {file("/opt/data/${DAY}_${MONTH}_${YEAR}.log");};
log {source(s_tcp):destination(d1);};
D. Setup network load balancer / firewall port translation from port 514 -> desired port. (note that haproxy and ELBs will not load balance udp)
Looks like you're doing TCP instead so I changed my answer
If the answer solved you problem, please mark it as the answer.