Getting Data In

Syslog TCP port 514 or 6514- Having trouble connecting Endpoint Cloud to Splunk HF

Verxc5Beu
Engager

Hi  everyone,

Thanks for taking time in reading this and providing your knowledge , since i've been struggling a bit with this . I am having an issue with  making a connection from the Endpoint Cloud (Cylance)   to the Splunk  Heavy Forwarder pushing syslogs, for then to be forwarded to the Cloud.  When testing , UDP ports work and the connection is successful, however the logs are still not coming in Splunk Enterprise  and not appearing in Splunk Cloud either. I have configured the Data input, the inputs.conf and the index correctly. Port 514 and 6514 TCP are opened on the security side (Firewalls). My question is , for either port 514 or 6514, is TLS/SSL required by default  to make a connection to these ports ? Or it should connect successfully  if I choose it to not be encrypted?(testing)  Even when trying  with a different random TCP port and the connection is successful, the dashboards in Cylance do not populate. Am I missing a piece of the puzzle ? I've made sure to follow all steps  provided

Any help is appreciated.

Thanks

Labels (3)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

Well... Syslog is a relatively easy mechanism (it's not a protocol as such), but can get relatively complicated to properly receive it in splunk.

Firstly - in order to listen on the low (1024 or below) port, you'd have to run splunk daemon with the root user which is not recommended. Secondly, the 514 port in case of a non-windows machine will most probably already be used by a system-wide syslog daemon.

There are other issues with receiving syslog data from the network like performance and network-level metadata so unless you have a very small and simple environment it's best that you have a separate syslog-processing layer in form of some Splunk Connector 4 Syslog (SC4S) instance or a custom rsyslog/syslog-ng based solution pushing events to a HEC input.

scottsavareseat
Path Finder

According to https://docs.splunk.com/Documentation/Splunk/8.2.6/Admin/Inputsconf#TCP:, when you have a tcp input it is not encrypted by default, unless you use tcp-ssl:<port>. So if you want to do encryption, make sure you use the right type of input for tcp.

Also, look in to https://splunkbase.splunk.com/app/4740/ which will set up a syslog listener and forward it to splunk. May be easier than mangling a heavy forwarder? I personally run a syslog-ng cluster which receives the tls/tcp/udp syslog packets and forwards them to the indexers via Splunk's HTTP Event Collector. It scales a bit better than a single heavy forwarder, I think.

Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...