Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Syslog TCP port 514 or 6514- Having trouble connecting Endpoint Cloud to Splunk HF

Verxc5Beu
Engager
‎05-04-2022 08:41 AM

Hi  everyone,

Thanks for taking time in reading this and providing your knowledge , since i've been struggling a bit with this . I am having an issue with  making a connection from the Endpoint Cloud (Cylance)   to the Splunk  Heavy Forwarder pushing syslogs, for then to be forwarded to the Cloud.  When testing , UDP ports work and the connection is successful, however the logs are still not coming in Splunk Enterprise  and not appearing in Splunk Cloud either. I have configured the Data input, the inputs.conf and the index correctly. Port 514 and 6514 TCP are opened on the security side (Firewalls). My question is , for either port 514 or 6514, is TLS/SSL required by default  to make a connection to these ports ? Or it should connect successfully  if I choose it to not be encrypted?(testing)  Even when trying  with a different random TCP port and the connection is successful, the dashboards in Cylance do not populate. Am I missing a piece of the puzzle ? I've made sure to follow all steps  provided

Any help is appreciated.

Thanks

Labels (3)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎05-11-2022 05:34 AM

Well... Syslog is a relatively easy mechanism (it's not a protocol as such), but can get relatively complicated to properly receive it in splunk.

Firstly - in order to listen on the low (1024 or below) port, you'd have to run splunk daemon with the root user which is not recommended. Secondly, the 514 port in case of a non-windows machine will most probably already be used by a system-wide syslog daemon.

There are other issues with receiving syslog data from the network like performance and network-level metadata so unless you have a very small and simple environment it's best that you have a separate syslog-processing layer in form of some Splunk Connector 4 Syslog (SC4S) instance or a custom rsyslog/syslog-ng based solution pushing events to a HEC input.

Reply

scottsavareseat
Path Finder
‎05-11-2022 05:25 AM

According to https://docs.splunk.com/Documentation/Splunk/8.2.6/Admin/Inputsconf#TCP:, when you have a tcp input it is not encrypted by default, unless you use tcp-ssl:<port>. So if you want to do encryption, make sure you use the right type of input for tcp.

Also, look in to https://splunkbase.splunk.com/app/4740/ which will set up a syslog listener and forward it to splunk. May be easier than mangling a heavy forwarder? I personally run a syslog-ng cluster which receives the tls/tcp/udp syslog packets and forwards them to the indexers via Splunk's HTTP Event Collector. It scales a bit better than a single heavy forwarder, I think.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...