Getting Data In
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Which port can I use to send Syslog traffict to splunk for a Cisco Nexus device?

MayraGuia
New Member
‎03-23-2016 03:45 PM

I am trying to send syslog traffic from some nexus devices to Splunk, but I have not been able to find which port should I use?

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

grijhwani
Motivator
‎03-23-2016 05:52 PM

Your better option is to set up syslog-ng or other native syslogd, and use a local file consumer to read the logs generated. (syslog-ng is by far the best specific implementation, and widely recommended on here.)

There are no shortage of sources of information on the subject: Primary documentation search; Best practices for Configuring Syslog Input (Wiki); Best practices for Configuring Syslog Input (wiki).

But to answer your question strictly UDP 514 is the syslog default (provided you have set up a listening service to capture it).

View solution in original post

0 Karma
Reply
Solved! Jump to solution

klotfy
New Member
‎04-22-2019 07:47 AM

Most Cisco Nexus can only send syslog data over port 514, if you have more than one type of device that is limited to port 514. You could go to your syslog-ng server and setup iptable to redirect to another port on the server to monitor it. to setup iptables to redirect traffic from a specific host over port 514 you would need a command like the following:

iptables -t nat -A PREROUTING -s 10.x.x.x -p udp -m udp --dport 514 -j REDIRECT --to-ports 1234

Then you can set up your syslog-ng.conf to watch the traffic on the set port 1234 to have different source name

0 Karma
Reply
Solved! Jump to solution

kristian_kolb
Ultra Champion
‎03-24-2016 03:40 AM

I agree with you that setting up a dedicated syslog server is the better option for the reason of preventing message loss. A syslog daemon is restarted in under a second, whereas restarting Splunk can take a minute or two. Thus, relying to Splunk to do your syslog work can mean that you lose any messages that are sent when Splunk is restarting.

Depending on your OS platform, a syslog server may already be installed. RedHat Linux comes with rsyslog by default, and there is no reason to replace it with Syslog-NG. Setting up a dedicated syslog server would also allow you to achieve a higher level of transport security, i.e. RELP (rsyslog) or RLTP (syslog-ng).

As for the original question, you should probably try to ensure what the limitations are from the sending side. IIRC I have seen some Nexus versions that could only send to port 514, i.e. destination not configurable. Or if it was that only UDP was supported. Don't remember now, but it's worth checking out before you start configuring the receiving side.

/K

0 Karma
Reply
Solved! Jump to solution
Solution

grijhwani
Motivator
‎03-23-2016 05:52 PM

Your better option is to set up syslog-ng or other native syslogd, and use a local file consumer to read the logs generated. (syslog-ng is by far the best specific implementation, and widely recommended on here.)

There are no shortage of sources of information on the subject: Primary documentation search; Best practices for Configuring Syslog Input (Wiki); Best practices for Configuring Syslog Input (wiki).

But to answer your question strictly UDP 514 is the syslog default (provided you have set up a listening service to capture it).

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
Top