Security

Splunk Indexer not receving the logs from Network devices(Syslog) via UDP port 514

Path Finder

Hi All,

I have configure the UDP port in data input on port 514 but still no luck in receiving any syslog data from network devices ,
We have configured neat about 20 devices to forward the logs via udp(514) to our splunk indexer but none are shown under search data summery.

Splunk Enterprise running on Windows Server 2012 .

Kindly help it to get it resolved.

Thanks in advanced.

Tags (2)
0 Karma

SplunkTrust
SplunkTrust

Try using powershell to put data into the indexer and let me know if it works.

function logSend([string]$s) {
    #write to UDP
    $ip=@("127.0.0.1") #array of IPs to send UDP data to
    $port=514 
    $ip | foreach {
        $Address = [system.net.IPAddress]::Parse($_) 
        $udpClient = New-Object system.net.sockets.udpclient
        try{ #connect the UDP object to localhost and send the $msg ASCII encoded
             $udpClient.Connect($address, $port);
             $sendBytes=[Text.Encoding]::ASCII.GetBytes($s)
             $udpClient.Send($sendBytes, $sendBytes.Length)
             $udpClient.Close();
        }  
        catch { write-host $error } 
    }
}

logSend("test event")
0 Karma

Legend

Did you dump traffic to see that traffic on port 514 is actually reaching the machine?

Another thing to try when verifying things is to run a realtime search in Splunk. That way you see exactly what data is coming in, so if there are issues with incorrect timestamps for instance you would still see the logs coming in with the realtime search.

0 Karma

Communicator

Hello @ayn and @sumit29,

I am facing the same problem now. I have configured the UDP port 514 in data input (local input, not forwarded inputs) but still no luck in receiving any data from data sending device (verified that data is coming in till that).
No data is shown under search data summery.
Splunk Enterprise v 6.3 is running on Windows 7 machine.

Please enlighten others by help solving this issue.

0 Karma

Path Finder

Still waiting for the reply

0 Karma

Path Finder

Hi , Thanks for the quick reply .

I did netstat on indexer and its listening on the UDP 514 port .
Windows firewall is disabled .
I have downloaded the snare agent also to forward the logs to indexer there also no luck,

Version running splunk 6.2

Kindly help go stuck .

0 Karma

Legend

Troubleshooting tips:

  • Make sure that Splunk is actually listening on port 514/UDP, as a data input port, not a receiving port that you would otherwise configure in "Forwarding and receiving".
  • Make sure that the traffic is reaching your system by sniffing on the network interface, for instance using a tool like Wireshark.
  • Verify that no local firewall is interfering with the traffic so that it's blocked before reaching Splunk.
0 Karma