Getting Data In

how to allow splunk to connect UDP 161 port in Linux?

cebo_myeza
Path Finder

hi

i am working on a splunk project and i am using centos as my operating system, i just need help on how to allow only the SNMP monitoring server (SPLUNK) to connect to UDP 161 port in centos using CLI.

Tags (5)
0 Karma
1 Solution

MuS
SplunkTrust
SplunkTrust

Hi cebo_myeza,

If you have Splunk installed with a non-root user on LINUX, you can´t listen to ports below 1024. But....there is a work around:

/usr/sbin/iptables -t nat -A PREROUTING -m udp -p udp --dport 161 -j REDIRECT --to-ports 1161

The IPTABLES Firewall will route UDP from port 161 to port 1161.
It needs to be executed as root and your sys admin should make it boot able, so that this redirect is permanent and gets loaded after a system reboot.

Afterwards do this:

$SPLUNK_HOME/bin/splunk add udp 1161 -sourcetype snmp

Hope this helps ...

cheers, MuS

View solution in original post

MuS
SplunkTrust
SplunkTrust

Hi cebo_myeza,

If you have Splunk installed with a non-root user on LINUX, you can´t listen to ports below 1024. But....there is a work around:

/usr/sbin/iptables -t nat -A PREROUTING -m udp -p udp --dport 161 -j REDIRECT --to-ports 1161

The IPTABLES Firewall will route UDP from port 161 to port 1161.
It needs to be executed as root and your sys admin should make it boot able, so that this redirect is permanent and gets loaded after a system reboot.

Afterwards do this:

$SPLUNK_HOME/bin/splunk add udp 1161 -sourcetype snmp

Hope this helps ...

cheers, MuS

cebo_myeza
Path Finder

Hi MuS

Thanks for your time though.

i am little bit confused about the second part... add udp 1611 -sourcetype snmp, what is 1611 for?

thanks

0 Karma

s2_splunk
Splunk Employee
Splunk Employee

I think it's a typo, should be 1161, the port 161 gets redirected to.

MuS
SplunkTrust
SplunkTrust

HeHe, indeed it is a typo - corrected now. thanks for the hint 😉

0 Karma

cebo_myeza
Path Finder

hi

thanks again for your time.

is it correct to use this even though i am running my splunk as root.

0 Karma

MuS
SplunkTrust
SplunkTrust

No, running Splunk as root should be fine. But if you cannot assign a port, it could be already open / in use.

0 Karma

yannK
Splunk Employee
Splunk Employee

This is if splunk service is not running as root, then it cannot open any ports under the 1-1024 range (reserved by root)
So a workaround is to use IPtables to map the port 161 to a port > 1024, like 1611

The second command is the splunk CLI command to add a new input on the new port.

0 Karma

splunker12er
Motivator

Add CLI inputs:

./splunk add udp 161 -sourcetype name_of_your_sourcetype

Add inputs via Splunkweb:
http://docs.splunk.com/Documentation/Splunk/6.2.3/Data/SyslogTCP

UDP

[udp://<remote server>:<port>]
<attrbute1> = <val1>
<attrbute2> = <val2>
...

This type of input stanza is similar to the TCP type, except that it listens on a UDP port.

Further reference:
http://docs.splunk.com/Documentation/Splunk/6.2.3/Data/Monitornetworkports

http://docs.splunk.com/Documentation/Splunk/6.2.3/Data/SendSNMPeventstoSplunk

cebo_myeza
Path Finder

hi
thanks for your help.

can you please explain this part for me

[udp://:]
=
=
...

where should i write this, what is it for?

0 Karma

splunker12er
Motivator

Hello,

Edit inputs.conf in $SPLUNK_HOME/etc/system/local/, or your own custom application directory in $SPLUNK_HOME/etc/apps/your_app/local

You can set any number of attributes , (please refer to the link, http://docs.splunk.com/Documentation/Splunk/6.2.3/Data/Monitornetworkports) and values following an input type. If you do not specify a value for one or more attributes, Splunk uses the defaults that are preset in $SPLUNK_HOME/etc/system/default/ (noted below).

0 Karma

cebo_myeza
Path Finder

hello
if i try to add the port i get the following error:

[root@localhost bin]# ./splunk add udp 161 -sourcetype snmp
Splunk username: admin

Password:
Can't create directory "/root/.splunk": Permission denied
[root@localhost bin]#

please help

0 Karma

splunker12er
Motivator

To use ./splunkyou should have to set environmental variables.

if you are using *nix operating systems, try setting up the env. variables.,

export SPLUNK_HOME=/opt/splunk
export PATH=$SPLUNK_HOME/bin:$PATH

OR else, you should directly add stanzas to inputs.conf something like this, via CLI

/opt/splunk/bin/splunk add 161 -sourcetype snmp
0 Karma

MuS
SplunkTrust
SplunkTrust

or do source /opt/splunk/bin/setSplunkEnv 😉

The problem here is, that the add-monitor script adds an authToken_servername_8089 to the normal user home directory, but owned by splunk:splunk,

So try something like this:

sudo ./splunk add monitor /var/log/

It should prompt you for root [sudo] password and then your splunk credentials that were set up.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...