Re: Splunk listen on port 514 UDP

ws

Hi,

I understand that ports below 1024 are reserved for root access. Is there any supported way for Splunk to listen on UDP port 514 while still running under the splunk user?

I’ve tried starting Splunk with:

sudo $SPLUNK_HOME/bin/splunk start --run-as-root

as well as changing ownership/permissions of the relevant directories to root, but none of these approaches worked.

If anyone has successfully configured Splunk to listen on UDP 514 without using port redirection, I’d really appreciate it if you could share the steps.

Thanks

tscroggins

Hi @ws,

Is there a reason you're opposed to port redirection/forwarding? It's the least intrusive way to manage the traffic and works with SELinux etc.

If you're using Linux with firewalld, run Splunk as a non-root user and configure a UDP input on any available port above 1023, e.g., 9514/udp. You can then configure firewalld to locally forward 514/udp traffic to 9514/udp:

# add the forwarding rule
sudo firewall-cmd --permanent --add-forward-port=port=514:proto=udp:toport=9514:toaddr=
# enable the syslog service; see /usr/lib/firewalld/services/syslog.xml
sudo firewall-cmd --permanent --add-service syslog
# reload firewalld
sudo firewall-cmd --reload

Adapt the firewall-cmd arguments to zones if needed.

PickleRick

Yes, you can force your Splunk installation to listen on 514 if you bend over backwards but it may involve more than just running it as root (even then SELinux might prevent you from binding to that port). There were some issues with running with the capability allowing low ports binds too as far as I remember but can't recall the details.

It's still not the best idea to do so anyway. Splunk as the immediate syslog receiver (especially UDP) is generally discouraged. True, it can be used as a quick and dirty solution for a lab scenario but for production use it's best to run an external syslog daemon either writing to files later picked up by Universal Forwarder or forwarding to HEC input.

livehybrid

Hi @ws

Running Splunk as root user is generally a bad idea.

The Splunk Best Practice and Validated Architectures around syslog I would recommend reading https://help.splunk.com/en/splunk-cloud-platform/get-started/splunk-validated-architectures/getting-... and looking at using a syslog server which can store the data to files which are forwarded using a Universal Forwarder (UF) or Splunk Connect for Syslog (SC4S)

If you really want to receive the data into Splunk using a UDP port at < 1024 then you might find some success by looking at adding the CAP_NET_BIND_SERVICE capability to the Splunk user.

🌟 Did this answer help you? If so, please consider:

Adding karma to show it was useful
Marking it as the solution if it resolved your issue
Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

gcusello

Hi @ws ,

the best solution (Splunk best practices) is to use a syslog server (as rsyslog or syslog-ng) to receive syslogs and write them in files that are read by Splunk.

In this way you can continue to receive syslogs also when Splunk is down and you haven't any port problem.

Otherwise you can redirect port 514 to an higher port by operative system, but the other is the best solution.

Ciao.

Giuseppe

Splunk listen on port 514 UDP

data

indexer

inputs.conf

Linux

AI for AppInspect

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

Operationalizing Entity Risk Score with Enterprise Security 8.3+

Join the Conversation