Getting Data In

Syslog TCP port 514 or 6514- Having trouble connecting Endpoint Cloud to Splunk HF

Verxc5Beu
Engager

Hi  everyone,

Thanks for taking time in reading this and providing your knowledge , since i've been struggling a bit with this . I am having an issue with  making a connection from the Endpoint Cloud (Cylance)   to the Splunk  Heavy Forwarder pushing syslogs, for then to be forwarded to the Cloud.  When testing , UDP ports work and the connection is successful, however the logs are still not coming in Splunk Enterprise  and not appearing in Splunk Cloud either. I have configured the Data input, the inputs.conf and the index correctly. Port 514 and 6514 TCP are opened on the security side (Firewalls). My question is , for either port 514 or 6514, is TLS/SSL required by default  to make a connection to these ports ? Or it should connect successfully  if I choose it to not be encrypted?(testing)  Even when trying  with a different random TCP port and the connection is successful, the dashboards in Cylance do not populate. Am I missing a piece of the puzzle ? I've made sure to follow all steps  provided

Any help is appreciated.

Thanks

Labels (3)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

Well... Syslog is a relatively easy mechanism (it's not a protocol as such), but can get relatively complicated to properly receive it in splunk.

Firstly - in order to listen on the low (1024 or below) port, you'd have to run splunk daemon with the root user which is not recommended. Secondly, the 514 port in case of a non-windows machine will most probably already be used by a system-wide syslog daemon.

There are other issues with receiving syslog data from the network like performance and network-level metadata so unless you have a very small and simple environment it's best that you have a separate syslog-processing layer in form of some Splunk Connector 4 Syslog (SC4S) instance or a custom rsyslog/syslog-ng based solution pushing events to a HEC input.

scottsavareseat
Path Finder

According to https://docs.splunk.com/Documentation/Splunk/8.2.6/Admin/Inputsconf#TCP:, when you have a tcp input it is not encrypted by default, unless you use tcp-ssl:<port>. So if you want to do encryption, make sure you use the right type of input for tcp.

Also, look in to https://splunkbase.splunk.com/app/4740/ which will set up a syslog listener and forward it to splunk. May be easier than mangling a heavy forwarder? I personally run a syslog-ng cluster which receives the tls/tcp/udp syslog packets and forwards them to the indexers via Splunk's HTTP Event Collector. It scales a bit better than a single heavy forwarder, I think.

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...