- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi cebo_myeza,
If you have Splunk installed with a non-root user on LINUX, you can´t listen to ports below 1024. But....there is a work around:
/usr/sbin/iptables -t nat -A PREROUTING -m udp -p udp --dport 161 -j REDIRECT --to-ports 1161
The IPTABLES Firewall will route UDP from port 161 to port 1161.
It needs to be executed as root and your sys admin should make it boot able, so that this redirect is permanent and gets loaded after a system reboot.
Afterwards do this:
$SPLUNK_HOME/bin/splunk add udp 1161 -sourcetype snmp
Hope this helps ...
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi cebo_myeza,
If you have Splunk installed with a non-root user on LINUX, you can´t listen to ports below 1024. But....there is a work around:
/usr/sbin/iptables -t nat -A PREROUTING -m udp -p udp --dport 161 -j REDIRECT --to-ports 1161
The IPTABLES Firewall will route UDP from port 161 to port 1161.
It needs to be executed as root and your sys admin should make it boot able, so that this redirect is permanent and gets loaded after a system reboot.
Afterwards do this:
$SPLUNK_HOME/bin/splunk add udp 1161 -sourcetype snmp
Hope this helps ...
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi MuS
Thanks for your time though.
i am little bit confused about the second part... add udp 1611 -sourcetype snmp, what is 1611 for?
thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think it's a typo, should be 1161, the port 161 gets redirected to.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
HeHe, indeed it is a typo - corrected now. thanks for the hint 😉
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi
thanks again for your time.
is it correct to use this even though i am running my splunk as root.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No, running Splunk as root should be fine. But if you cannot assign a port, it could be already open / in use.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is if splunk service is not running as root, then it cannot open any ports under the 1-1024 range (reserved by root)
So a workaround is to use IPtables to map the port 161 to a port > 1024, like 1611
The second command is the splunk CLI command to add a new input on the new port.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Add CLI inputs:
./splunk add udp 161 -sourcetype name_of_your_sourcetype
Add inputs via Splunkweb:
http://docs.splunk.com/Documentation/Splunk/6.2.3/Data/SyslogTCP
UDP
[udp://<remote server>:<port>]
<attrbute1> = <val1>
<attrbute2> = <val2>
...
This type of input stanza is similar to the TCP type, except that it listens on a UDP port.
Further reference:
http://docs.splunk.com/Documentation/Splunk/6.2.3/Data/Monitornetworkports
http://docs.splunk.com/Documentation/Splunk/6.2.3/Data/SendSNMPeventstoSplunk
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi
thanks for your help.
can you please explain this part for me
[udp://:]
=
=
...
where should i write this, what is it for?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Edit inputs.conf in $SPLUNK_HOME/etc/system/local/, or your own custom application directory in $SPLUNK_HOME/etc/apps/your_app/local
You can set any number of attributes , (please refer to the link, http://docs.splunk.com/Documentation/Splunk/6.2.3/Data/Monitornetworkports) and values following an input type. If you do not specify a value for one or more attributes, Splunk uses the defaults that are preset in $SPLUNK_HOME/etc/system/default/ (noted below).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hello
if i try to add the port i get the following error:
[root@localhost bin]# ./splunk add udp 161 -sourcetype snmp
Splunk username: admin
Password:
Can't create directory "/root/.splunk": Permission denied
[root@localhost bin]#
please help
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To use ./splunkyou should have to set environmental variables.
if you are using *nix operating systems, try setting up the env. variables.,
export SPLUNK_HOME=/opt/splunk
export PATH=$SPLUNK_HOME/bin:$PATH
OR else, you should directly add stanzas to inputs.conf something like this, via CLI
/opt/splunk/bin/splunk add 161 -sourcetype snmp
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
or do source /opt/splunk/bin/setSplunkEnv 😉
The problem here is, that the add-monitor script adds an authToken_servername_8089 to the normal user home directory, but owned by splunk:splunk,
So try something like this:
sudo ./splunk add monitor /var/log/
It should prompt you for root [sudo] password and then your splunk credentials that were set up.
