Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Syslog from switch to indexer

chrisitanmoleck
Path Finder
‎04-19-2018 12:04 AM

Hello,

we want to send syslog from cisco switches directly to the splunk indexer.
So I made a NAT from UDP 514 to 5447 and a new UPD data input (for 5447).

Is it also neccessary to define these data at the inputs.conf of the indexer?

Best Regards
Christian

0 Karma
Reply

chrisitanmoleck
Path Finder
‎04-24-2018 01:11 AM

I found the solution:

  1. Port forwarding was not enabled for the interface. 1
  2. The NAT-Rule was not saved. 2
0 Karma
Reply

chrisitanmoleck
Path Finder
‎04-19-2018 04:46 AM

Unfortunately it doesn't work.

IP-Tables NAT: /usr/sbin/iptables -t nat -A PREROUTING -m udp -p udp --dport 514 -j REDIRECT --to-ports 5447
Firewall entries for 5447 and 514

Entry in $SPLUNK_HOME/etc/system/local/inputs.conf

[udp://10.23.112.64:5447]
disabled = false
sourcetype = syslog
index = switches

This creates a new data input.

I struggeling with your command, because the splunk running user has some security protection, so that I can't execute it.

In metrics.log I have some of these entries: 

04-19-2018 13:43:59.762 +0200 INFO  Metrics - group=udpin_connections, 10.23.112.64:5447, sourcePort=5447, _udp_bps=0.00, _udp_kbps=0.00, _udp_avg_thruput=0.00, _udp_kprocessed=0.00, _udp_eps=0.00

Otherwise I can't find any data in splunk to the switch.

0 Karma
Reply

mayurr98
Super Champion
‎04-19-2018 12:17 AM

I think you would need to configure inputs.conf for port 5447 at the indexer.

go to /opt/splunk/bin/ on indexer and run this command.

     ./splunk add udp 5447 -sourcetype syslog

Refer this doc for more
https://docs.splunk.com/Documentation/Splunk/7.0.3/Data/Monitornetworkports#Examples

let me know if this helps!

0 Karma
Reply

starcher
Influencer
‎04-19-2018 08:22 PM

Though you can syslog to indexers. Don’t. Send to a syslog server of your flavor and use a universal forwarder to pickup logs.

http://www.georgestarcher.com/splunk-success-with-syslog/

Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...