Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Parameter name: TCP port x is not available.

asbetsplunk
Explorer
‎12-29-2015 11:48 PM

I am using the Splunk Enterprise appliance from the AWS marketplace.

I would likely simply send syslogs from network devices directly to Splunk in my test environment. I understand that the best practice is to send syslogs to yet another syslog-ng server and have Splunk read the logs from there.

Doing the ubiquitous Google searches I am seeing that it is likely that this error is generated because the splunk daemon is not running as root; In *nix environments apparently only root can bind services on ports 1024 and below.

When I ssh into the instance and run ps -U splunk I can see that splunkd is run under the instance's splunk account so I'm assuming that that confirms the issue.

Since this is an appliance and there probably shouldn't be any fiddling around on the internals, is there a proper way to make this work?

Seems like this should be simple to do...

Tags (1)
Reply

rogue_carrot
Communicator
‎06-02-2018 11:54 AM

I have a similar problem. Only I am trying to capture packets on TCP port 51000. This port is well above 1024 and still I receive the error you have. 😕 What gives?

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎06-02-2018 02:00 PM

What is your setup/architecture @rogue_carrot

0 Karma
Reply

rogue_carrot
Communicator
‎06-03-2018 09:57 PM

Very simple architecture. Just one Splunk enterprise indexer where I am trying to log data from the host operating system. In this situation I am trying to capture packets as if Splunk is Wireshark. I was able to craft some UDP packets and search those in Splunk. 🙂

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎12-30-2015 12:03 PM

You have options.

A. run splunk as root (not recommended but people do it)
B. setup syslog-ng to receive on port 514 (run it as root), and set it send to port 9514 - anything over 1024 will do) 

source s_tcp {tcp(port(514) flags(no-parse));};
destination d1 {tcp(port(9514));};
log {source(s_tcp):destination(d1);};

C. setup syslog-ng to receive on port 514 (run it as root), and set it to write to directory and monitor the directory with universal forwarder, etc.

source s_tcp{tcp(port(514) flags(no-parse));};
destination d1 {file("/opt/data/${DAY}_${MONTH}_${YEAR}.log");};
log {source(s_tcp):destination(d1);};

D. Setup network load balancer / firewall port translation from port 514 -> desired port. (note that haproxy and ELBs will not load balance udp)

Looks like you're doing TCP instead so I changed my answer

Reply

jkat54
SplunkTrust
SplunkTrust
‎01-03-2016 05:50 AM

If the answer solved you problem, please mark it as the answer.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...