Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Splunk and Cisco Firepower Audit Logs

b17gunnr
Path Finder
‎04-07-2025 08:53 AM

Hello folks,

My organization is struggling with ingesting the Cisco Firepower audit (sys)logs into Splunk, we've been able to successfully ingest all the other sources. With the Firepowers only offering up 514udp which is unavailable according to Splunk, or a HEC configuration without tokens so Splunk is (would?) drop the events our option appear limited. Has anyone else come across this issue and solved it?

Screenshot 2025-04-07 114755.png

Screenshot 2025-04-07 114809.png

  

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

b17gunnr
Path Finder
‎04-11-2025 04:21 AM

Unfortunately neither of these were the cause. In the end I believe we're going to set up an intermediate VM with a UF to catch the logs from the Firepowers on udp514. Clunky but it appears to be the only option. I appreciate the help.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

livehybrid
SplunkTrust
SplunkTrust
‎04-07-2025 09:02 AM

Hi @b17gunnr 

The error "UDP port 514 is not available" typically means that Splunk is not able to listen to the port, which is typically for 1 of 2 reasons:

  1. Another process is already listening to the port
    Confirm that nothing is already using this port, this process will vary between different OS.

  2. Splunk does not have permissions to listen to port 514.
    To listen to ports <1024 the Splunk process may require additional permissions (CAP_NET_BIND_SERVICE) and/or could be affected by AppArmor / SELinux. This will also vary depending on OS. 

For more information check out https://docs.splunk.com/Documentation/Splunk/latest/Data/Monitornetworkports  

Also, theres a previous Splunk answer which might help at https://community.splunk.com/t5/Getting-Data-In/how-to-listen-to-port-UDP-514-when-splunk-is-not-roo...

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Reply
Solved! Jump to solution
Solution

b17gunnr
Path Finder
‎04-11-2025 04:21 AM

Unfortunately neither of these were the cause. In the end I believe we're going to set up an intermediate VM with a UF to catch the logs from the Firepowers on udp514. Clunky but it appears to be the only option. I appreciate the help.

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎04-07-2025 03:27 PM

Also remember that while Splunk can listen for syslogs this is not a recommended setup. It's relatively ok for a small lab deployment but in production you'd rather want to go for a separate syslog daemon either writing to local files for pick up by UF or sending to HEC input.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...