Getting Data In

Which port can I use to send Syslog traffict to splunk for a Cisco Nexus device?

MayraGuia
New Member

I am trying to send syslog traffic from some nexus devices to Splunk, but I have not been able to find which port should I use?

Tags (3)
0 Karma
1 Solution

grijhwani
Motivator

Your better option is to set up syslog-ng or other native syslogd, and use a local file consumer to read the logs generated. (syslog-ng is by far the best specific implementation, and widely recommended on here.)

There are no shortage of sources of information on the subject: Primary documentation search; Best practices for Configuring Syslog Input (Wiki); Best practices for Configuring Syslog Input (wiki).

But to answer your question strictly UDP 514 is the syslog default (provided you have set up a listening service to capture it).

View solution in original post

0 Karma

klotfy
New Member

Most Cisco Nexus can only send syslog data over port 514, if you have more than one type of device that is limited to port 514. You could go to your syslog-ng server and setup iptable to redirect to another port on the server to monitor it. to setup iptables to redirect traffic from a specific host over port 514 you would need a command like the following:

iptables -t nat -A PREROUTING -s 10.x.x.x -p udp -m udp --dport 514 -j REDIRECT --to-ports 1234

Then you can set up your syslog-ng.conf to watch the traffic on the set port 1234 to have different source name

0 Karma

kristian_kolb
Ultra Champion

I agree with you that setting up a dedicated syslog server is the better option for the reason of preventing message loss. A syslog daemon is restarted in under a second, whereas restarting Splunk can take a minute or two. Thus, relying to Splunk to do your syslog work can mean that you lose any messages that are sent when Splunk is restarting.

Depending on your OS platform, a syslog server may already be installed. RedHat Linux comes with rsyslog by default, and there is no reason to replace it with Syslog-NG. Setting up a dedicated syslog server would also allow you to achieve a higher level of transport security, i.e. RELP (rsyslog) or RLTP (syslog-ng).

As for the original question, you should probably try to ensure what the limitations are from the sending side. IIRC I have seen some Nexus versions that could only send to port 514, i.e. destination not configurable. Or if it was that only UDP was supported. Don't remember now, but it's worth checking out before you start configuring the receiving side.

/K

0 Karma

grijhwani
Motivator

Your better option is to set up syslog-ng or other native syslogd, and use a local file consumer to read the logs generated. (syslog-ng is by far the best specific implementation, and widely recommended on here.)

There are no shortage of sources of information on the subject: Primary documentation search; Best practices for Configuring Syslog Input (Wiki); Best practices for Configuring Syslog Input (wiki).

But to answer your question strictly UDP 514 is the syslog default (provided you have set up a listening service to capture it).

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...