Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk and Cisco Firepower Audit Logs

b17gunnr
Explorer
‎04-07-2025 08:53 AM

Hello folks,

My organization is struggling with ingesting the Cisco Firepower audit (sys)logs into Splunk, we've been able to successfully ingest all the other sources. With the Firepowers only offering up 514udp which is unavailable according to Splunk, or a HEC configuration without tokens so Splunk is (would?) drop the events our option appear limited. Has anyone else come across this issue and solved it?

Screenshot 2025-04-07 114755.png

Screenshot 2025-04-07 114809.png

  

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

b17gunnr
Explorer
‎04-11-2025 04:21 AM

Unfortunately neither of these were the cause. In the end I believe we're going to set up an intermediate VM with a UF to catch the logs from the Firepowers on udp514. Clunky but it appears to be the only option. I appreciate the help.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

livehybrid
SplunkTrust
SplunkTrust
‎04-07-2025 09:02 AM

Hi @b17gunnr 

The error "UDP port 514 is not available" typically means that Splunk is not able to listen to the port, which is typically for 1 of 2 reasons:

  1. Another process is already listening to the port
    Confirm that nothing is already using this port, this process will vary between different OS.

  2. Splunk does not have permissions to listen to port 514.
    To listen to ports <1024 the Splunk process may require additional permissions (CAP_NET_BIND_SERVICE) and/or could be affected by AppArmor / SELinux. This will also vary depending on OS. 

For more information check out https://docs.splunk.com/Documentation/Splunk/latest/Data/Monitornetworkports  

Also, theres a previous Splunk answer which might help at https://community.splunk.com/t5/Getting-Data-In/how-to-listen-to-port-UDP-514-when-splunk-is-not-roo...

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Reply
Solved! Jump to solution
Solution

b17gunnr
Explorer
‎04-11-2025 04:21 AM

Unfortunately neither of these were the cause. In the end I believe we're going to set up an intermediate VM with a UF to catch the logs from the Firepowers on udp514. Clunky but it appears to be the only option. I appreciate the help.

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎04-07-2025 03:27 PM

Also remember that while Splunk can listen for syslogs this is not a recommended setup. It's relatively ok for a small lab deployment but in production you'd rather want to go for a separate syslog daemon either writing to local files for pick up by UF or sending to HEC input.

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...

Customer success is front and center at .conf25

Hi Splunkers, If you are not able to be at .conf25 in person, you can still learn about all the latest news ...