Getting Data In

Syslog TCP port 514 or 6514- Having trouble connecting Endpoint Cloud to Splunk HF

Verxc5Beu
Engager

Hi  everyone,

Thanks for taking time in reading this and providing your knowledge , since i've been struggling a bit with this . I am having an issue with  making a connection from the Endpoint Cloud (Cylance)   to the Splunk  Heavy Forwarder pushing syslogs, for then to be forwarded to the Cloud.  When testing , UDP ports work and the connection is successful, however the logs are still not coming in Splunk Enterprise  and not appearing in Splunk Cloud either. I have configured the Data input, the inputs.conf and the index correctly. Port 514 and 6514 TCP are opened on the security side (Firewalls). My question is , for either port 514 or 6514, is TLS/SSL required by default  to make a connection to these ports ? Or it should connect successfully  if I choose it to not be encrypted?(testing)  Even when trying  with a different random TCP port and the connection is successful, the dashboards in Cylance do not populate. Am I missing a piece of the puzzle ? I've made sure to follow all steps  provided

Any help is appreciated.

Thanks

Labels (3)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

Well... Syslog is a relatively easy mechanism (it's not a protocol as such), but can get relatively complicated to properly receive it in splunk.

Firstly - in order to listen on the low (1024 or below) port, you'd have to run splunk daemon with the root user which is not recommended. Secondly, the 514 port in case of a non-windows machine will most probably already be used by a system-wide syslog daemon.

There are other issues with receiving syslog data from the network like performance and network-level metadata so unless you have a very small and simple environment it's best that you have a separate syslog-processing layer in form of some Splunk Connector 4 Syslog (SC4S) instance or a custom rsyslog/syslog-ng based solution pushing events to a HEC input.

scottsavareseat
Path Finder

According to https://docs.splunk.com/Documentation/Splunk/8.2.6/Admin/Inputsconf#TCP:, when you have a tcp input it is not encrypted by default, unless you use tcp-ssl:<port>. So if you want to do encryption, make sure you use the right type of input for tcp.

Also, look in to https://splunkbase.splunk.com/app/4740/ which will set up a syslog listener and forward it to splunk. May be easier than mangling a heavy forwarder? I personally run a syslog-ng cluster which receives the tls/tcp/udp syslog packets and forwards them to the indexers via Splunk's HTTP Event Collector. It scales a bit better than a single heavy forwarder, I think.

Get Updates on the Splunk Community!

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...