we want to send syslog from cisco switches directly to the splunk indexer.
So I made a NAT from UDP 514 to 5447 and a new UPD data input (for 5447).
Is it also neccessary to define these data at the inputs.conf of the indexer?
Unfortunately it doesn't work.
IP-Tables NAT: /usr/sbin/iptables -t nat -A PREROUTING -m udp -p udp --dport 514 -j REDIRECT --to-ports 5447
Firewall entries for 5447 and 514
Entry in $SPLUNK_HOME/etc/system/local/inputs.conf
[udp://10.23.112.64:5447] disabled = false sourcetype = syslog index = switches
This creates a new data input.
I struggeling with your command, because the splunk running user has some security protection, so that I can't execute it.
In metrics.log I have some of these entries:
04-19-2018 13:43:59.762 +0200 INFO Metrics - group=udpin_connections, 10.23.112.64:5447, sourcePort=5447, _udp_bps=0.00, _udp_kbps=0.00, _udp_avg_thruput=0.00, _udp_kprocessed=0.00, _udp_eps=0.00
Otherwise I can't find any data in splunk to the switch.
I think you would need to configure inputs.conf for port 5447 at the indexer.
/opt/splunk/bin/ on indexer and run this command.
./splunk add udp 5447 -sourcetype syslog
Refer this doc for more
let me know if this helps!
Though you can syslog to indexers. Don’t. Send to a syslog server of your flavor and use a universal forwarder to pickup logs.