Getting Data In

Trying to capture cisco syslog errors

wingnut144
New Member

I just installed Splunk, and pointed my Cisco switch and router at the Splunk server IP, and told the server to listen on port 514.

Nothing is coming in to the Splunk system.

Did I miss something????

Tags (1)
0 Karma

dayakadam
New Member

On the Splunk server, you must listen to UDP port 514 by going Manager -> Data Inputs -> and click Add New to UDP.

0 Karma

nathan01
New Member

Hello,

Please does anyone have a response to the above. I am having similar issues. Not receiving any log messages on splunk from my cisco switch. There is no firewall between the devices, and i have set up splunk to listen for TCP and UDP port 514 however switches are using UDP port 514.

Thanks

0 Karma

richgalloway
SplunkTrust
SplunkTrust

This thread is more than 4 years old. You're more likely to get a response by posting a new question.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

mvasquez2
New Member

i have a similar issue but I am only getting log msgs that start with "%SYS". I need to get all the data as I am running debugs. those are scrolling on the terminal screen but are not being sent to Splunk for some reason.

0 Karma

dustinmalley
Engager

I had an issue with this at fist.

Ensure that you have the following configured on your Cisco devices:

logging trap (trap level)
logging host (Splunk Server) transport (tcp | udp) port (514)
logging on

In Splunk's Data Inputs:

Add a TCP or UDP type (I use TCP) and ensure that it's setup for 514 and the sourcetype is syslog

After that, I'd check to see if you have a firewall blocking port 514 (or whatever you're using) to your Splunk server.

Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.