Hi everyone,
Thanks for taking time in reading this and providing your knowledge , since i've been struggling a bit with this . I am having an issue with making a connection from the Endpoint Cloud (Cylance) to the Splunk Heavy Forwarder pushing syslogs, for then to be forwarded to the Cloud. When testing , UDP ports work and the connection is successful, however the logs are still not coming in Splunk Enterprise and not appearing in Splunk Cloud either. I have configured the Data input, the inputs.conf and the index correctly. Port 514 and 6514 TCP are opened on the security side (Firewalls). My question is , for either port 514 or 6514, is TLS/SSL required by default to make a connection to these ports ? Or it should connect successfully if I choose it to not be encrypted?(testing) Even when trying with a different random TCP port and the connection is successful, the dashboards in Cylance do not populate. Am I missing a piece of the puzzle ? I've made sure to follow all steps provided
Any help is appreciated.
Thanks
Well... Syslog is a relatively easy mechanism (it's not a protocol as such), but can get relatively complicated to properly receive it in splunk.
Firstly - in order to listen on the low (1024 or below) port, you'd have to run splunk daemon with the root user which is not recommended. Secondly, the 514 port in case of a non-windows machine will most probably already be used by a system-wide syslog daemon.
There are other issues with receiving syslog data from the network like performance and network-level metadata so unless you have a very small and simple environment it's best that you have a separate syslog-processing layer in form of some Splunk Connector 4 Syslog (SC4S) instance or a custom rsyslog/syslog-ng based solution pushing events to a HEC input.
According to https://docs.splunk.com/Documentation/Splunk/8.2.6/Admin/Inputsconf#TCP:, when you have a tcp input it is not encrypted by default, unless you use tcp-ssl:<port>. So if you want to do encryption, make sure you use the right type of input for tcp.
Also, look in to https://splunkbase.splunk.com/app/4740/ which will set up a syslog listener and forward it to splunk. May be easier than mangling a heavy forwarder? I personally run a syslog-ng cluster which receives the tls/tcp/udp syslog packets and forwards them to the indexers via Splunk's HTTP Event Collector. It scales a bit better than a single heavy forwarder, I think.