Getting Data In

Splunk UDP Data Input Fails To Send Data

leongchongyu
Explorer

Hi everyone,

I am working on a school project where multiple batches of students will work on the same project and pass it to the next batch. For this project, I have to send logs from a Lexmark CX725 printer to an instance of Splunk Enterprise 6.6.3. In order to do so, I have a UDP data input on port 2048 and configured the Lexmark printer to send its security logs to the IP address of the virtual machine running the Splunk instance(172.xx.xxx.A), port 2048.

However, no data is being sent to the Splunk instance at all. I have examined the metrics.log file with the command:
$SPLUNK_HOME/bin/splunk search 'index=_internal source=*metrics.log* destHost | dedup destHost'

and come up with the following line, which is the only line of the output produced by the command:

04-17-2018 10:56:49.865 +0800 INFO StatusMgr - destHost=172.xx.xxx.B, destIp=172.xx.xxx.B, destPort=2048, eventType=connect_try, publisher=tcpout, sourcePort=8089, statusee=TcpOutputProcessor

172.xx.xxx.B is, I believe, the IP address of the virtual machine used by the previous batch of students running this project. In contrast, the virtual machine I am using has the IP address 172.xx.xxx.A. I believe that this could be because I inherited the configuration set up by the previous batch of students.

I was wondering if anyone has any insights on what could have caused this mix-up and what I can do to fix it, or if it is even relevant to my connection issues at all. Thank you all very much in advance for your time!

0 Karma

woodcock
Esteemed Legend

Whatever is acting as the forwarder (probably the printer itself) needs to be reconfigured to send to the correct IP Address. If you are using a Splunk intermediate, this will be in the outputs.conf file somewhere under $SPLUNK_HOME/etc/. It is probably directly on the printer itself. though.

0 Karma

jconger
Splunk Employee
Splunk Employee

If you have access to the server running Splunk, I would make sure that 1) the server is listening on the port, and 2) you can send a UDP packet locally. Here's how from the command line:

Check that the port is listening:

netstat -an | grep 2048

Make sure you can send a UDP packet locally:

echo "Testing" > /dev/udp/127.0.0.1/2048

Run a search in Splunk looking for the data (Testing). Here is my search:

index=* "Testing"

leongchongyu
Explorer

Hey jconger, thank you for the prompt and extremely clear answer.

The results of the netstat command were:

udp 0 0 0.0.0.0:2048 0.0.0.0:*

udp 0 0 0.0.0.0:2048 0.0.0.0:*

udp6 0 0 :::2048 :::*

unix 3 [ ] STREAM CONNECTED 20486

But searching Splunk (Search and Reporting app, time range set to All Time) returned no results.

0 Karma

jconger
Splunk Employee
Splunk Employee

Did you try manually sending a UDP packet via command line?

0 Karma

leongchongyu
Explorer

Missing or malformed messages.conf stanza for AUDIT:START_OF_EVENT_DROPS 4/21/2018, 6:18:29 PM

Missing or malformed messages.conf stanza for TCPOUT:FORWARDING_BLOCKED__default-autolb-group_10 4/18/2018, 5:30:25 PM

I found these in the messages tab after I tried to search for the data. Is this indicative of something wrong?

0 Karma

leongchongyu
Explorer

Yes, I did, using the command you provided. After I pressed enter, it doesn't show any feedback, just a blank line. Then I searched using S&R and got nothing.

0 Karma