Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

PREROUTED 514 traffic not being seen by Splunk

robnewman666
Path Finder
‎02-15-2017 01:05 AM

I have set up a port redirect using iptables -t nat -A PREROUTING -p UDP -m udp --dport 514 -j REDIRECT --to-ports 5140 and I can see the traffic hitting my em3 port using tcpdump, plus I have set up the port to listen for UDP traffic in Splunk, but nothing shows up within Splunk (indexes etc). I have made this work before using this method, but it isn't today and its bugging me - any ideas why it's not?

Tags (3)
0 Karma
Reply

TiagoTLD1
Communicator
‎02-15-2017 03:50 AM

Hi,

Check index=_internal for the connection from the por you are expecting. If data is really hitting splunk, some message will show up there about it.

Let me know once you have results

0 Karma
Reply

robnewman666
Path Finder
‎02-15-2017 07:48 AM

so i configured an inputs.conf with the following:
[udp://5140]
sourcetype=syslog
connection_host=ip
queueSize = 1MB
persistentQueueSize = 5MB

Now I can see traffic going to port 5140 via index=_internal, but the host is showing as localhost=localdomain, not the ip address I would usually expect.

0 Karma
Reply

TiagoTLD1
Communicator
‎02-15-2017 07:57 AM

In your inputs.conf you are not specifying any index, so I would check index=main to see if the data is arriving there.

0 Karma
Reply

robnewman666
Path Finder
‎02-21-2017 09:25 AM

Thanks, will try this tomorrow to see if it works.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Thanks for the Memories! Splunk University, .conf25, and our Community

Thank you to everyone in the Splunk Community who joined us for .conf25, which kicked off with our iconic ...

Data Persistence in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. What happens if the OpenTelemetry collector ...

Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever

Now On Demand Whether you're managing complex deployments or looking to future-proof your data ...