Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Syslog from Firewall issue

hartfoml
Motivator
‎01-18-2012 12:15 PM

I asked my Firewall admin to change the port for syslog to the Splunk indexer.

He changed it from 514 to 1514.

He said he made the change but I am not seeing the incoming log data.

I'm sure the indexer host firewall port is open.

Where would I go to see what data is coming in on what port?

Does splunk tag the data with the indexer connection information?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

hartfoml
Motivator
‎01-20-2012 12:08 PM

Used the SoS app

This app will show you

S.o.S - Splunk on Splunk > Metrics > Incoming Network Throughput

this shows the network data comeing into splunk on what ports

After checking with my lunix admin and looking in SoS I confrunted the firewall guy and they did not make the change requiered.

View solution in original post

Reply
Solved! Jump to solution
Solution

hartfoml
Motivator
‎01-20-2012 12:08 PM

Used the SoS app

This app will show you

S.o.S - Splunk on Splunk > Metrics > Incoming Network Throughput

this shows the network data comeing into splunk on what ports

After checking with my lunix admin and looking in SoS I confrunted the firewall guy and they did not make the change requiered.

Reply
Solved! Jump to solution

FunPolice
Path Finder
‎01-18-2012 11:33 PM

The low-impact way would be to get IP accounting or netflow data from any routers or switches between the firewall and your indexer.

Otherwise you could install packet capture software (Wireshark or Microsoft Network Monitor, for example) on your indexer and capture all of the traffic that's hitting its network port.

If you can get a SPAN port set up (it sends a copy of all traffic heading for one switch port to a second port) then you can install the packet capture software on any machine and avoid touching your indexer.

0 Karma
Reply
Get Updates on the Splunk Community!

Application management with Targeted Application Install for Victoria Experience

  Experience a new era of flexibility in managing your Splunk Cloud Platform apps! With Targeted Application ...

Index This | What goes up and never comes down?

January 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Splunkers, Pack Your Bags: Why Cisco Live EMEA is Your Next Big Destination

The Power of Two: Splunk + Cisco at "Ludicrous Scale"   You know Splunk. You know Cisco. But have you seen ...