Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Syslog from Firewall issue

hartfoml
Motivator
‎01-18-2012 12:15 PM

I asked my Firewall admin to change the port for syslog to the Splunk indexer.

He changed it from 514 to 1514.

He said he made the change but I am not seeing the incoming log data.

I'm sure the indexer host firewall port is open.

Where would I go to see what data is coming in on what port?

Does splunk tag the data with the indexer connection information?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

hartfoml
Motivator
‎01-20-2012 12:08 PM

Used the SoS app

This app will show you

S.o.S - Splunk on Splunk > Metrics > Incoming Network Throughput

this shows the network data comeing into splunk on what ports

After checking with my lunix admin and looking in SoS I confrunted the firewall guy and they did not make the change requiered.

View solution in original post

Reply
Solved! Jump to solution
Solution

hartfoml
Motivator
‎01-20-2012 12:08 PM

Used the SoS app

This app will show you

S.o.S - Splunk on Splunk > Metrics > Incoming Network Throughput

this shows the network data comeing into splunk on what ports

After checking with my lunix admin and looking in SoS I confrunted the firewall guy and they did not make the change requiered.

Reply
Solved! Jump to solution

FunPolice
Path Finder
‎01-18-2012 11:33 PM

The low-impact way would be to get IP accounting or netflow data from any routers or switches between the firewall and your indexer.

Otherwise you could install packet capture software (Wireshark or Microsoft Network Monitor, for example) on your indexer and capture all of the traffic that's hitting its network port.

If you can get a SPAN port set up (it sends a copy of all traffic heading for one switch port to a second port) then you can install the packet capture software on any machine and avoid touching your indexer.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

    Are you ready to transform how your team handles complex data requests? We invite you to our upcoming ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...