Getting Data In

Syslog from switch to indexer

Path Finder


we want to send syslog from cisco switches directly to the splunk indexer.
So I made a NAT from UDP 514 to 5447 and a new UPD data input (for 5447).

Is it also neccessary to define these data at the inputs.conf of the indexer?

Best Regards

0 Karma

Path Finder

I found the solution:

  1. Port forwarding was not enabled for the interface. 1
  2. The NAT-Rule was not saved. 2
0 Karma

Path Finder

Unfortunately it doesn't work.

IP-Tables NAT: /usr/sbin/iptables -t nat -A PREROUTING -m udp -p udp --dport 514 -j REDIRECT --to-ports 5447
Firewall entries for 5447 and 514

Entry in $SPLUNK_HOME/etc/system/local/inputs.conf

disabled = false
sourcetype = syslog
index = switches

This creates a new data input.

I struggeling with your command, because the splunk running user has some security protection, so that I can't execute it.

In metrics.log I have some of these entries:

04-19-2018 13:43:59.762 +0200 INFO  Metrics - group=udpin_connections,, sourcePort=5447, _udp_bps=0.00, _udp_kbps=0.00, _udp_avg_thruput=0.00, _udp_kprocessed=0.00, _udp_eps=0.00

Otherwise I can't find any data in splunk to the switch.

0 Karma

Super Champion

I think you would need to configure inputs.conf for port 5447 at the indexer.

go to /opt/splunk/bin/ on indexer and run this command.

     ./splunk add udp 5447 -sourcetype syslog

Refer this doc for more

let me know if this helps!

0 Karma


Though you can syslog to indexers. Don’t. Send to a syslog server of your flavor and use a universal forwarder to pickup logs.

Get Updates on the Splunk Community!

Splunk Lantern | Spotlight on Security: Adoption Motions, War Stories, and More

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)

Greetings, Splunk Cloud Admins and Splunk enthusiasts! The Admin Configuration Service (ACS) team is excited ...

Tech Talk | One Log to Rule Them All

One log to rule them all: how you can centralize your troubleshooting with Splunk logs We know how important ...