I am trying to get the Universal Forwarder to forward event logs (System and Security) from Windows to syslog on Linux. Nothing happens. The Linux box does not receive any packets addressed to port 514.
The computers are directly connected, the firewall on the windows machine is off and the netfilter firewall on the linux machine just accepts everything.
The machines can ping each other, and the windows machine can access the linux machine using HTTP.
To create log entries I clear the log file, and windows creates one log record to say that this happens. (I have also tried logging off and on again, and also opening a command window. No better.)
The file . . \etc\system\local\outputs.conf says:
[syslog] defaultGroup=mysyslog disabled = false [syslog:mysyslog] server=192.168.0.99:514 # the IP of the Linux machine type=udp
...\etc\system\local\inputs.conf says: (the dashes are actually underlines)
[default] host=testserver # the windows machine [WinEventLog:Security] # . . and ditto for [WinEventLog:System] disabled = 0 start-from = oldest # I have tried newest current-only=0 # I have tried 1 evt-dc-name = evt-dns-name = evt-resolve-ad-obj = 0 checkpointinterval = 5
Any suggestions while I still have some hair?
Just to add to chrisrex's post...as port 514 is in the privileged port range, your Splunk Indexer on Linux would have to be run with "root" permissions for UDP port 514 to open.
Also, you could try running a network sniffer such as "wireshark" on the windows machine to ensure that syslog packets are actually being sent out over the network interface.
Thanks Damien. See above. Also, I can get the Universal Forwarder to send events to the Indexer, but not to syslog.
And thanks for "wireshark". That is the answer to my next question, which has not been asked yet!
Thanks Chris. Yes, I am running syslogd as root, and I get exactly what you suggest. In addition, tcpdump shows nothing arriving mentioning port 514. I would expect to see it even if the port was closed. It looks like nothing relevant leaves the Windows machine. (But I do see packets addressed to port 9997.)