Security

Why am I unable to send firewall logs to Splunk?

Hindoo
Path Finder

Hello
I want to trasmit logs from firewall to my Splunk
I configure the firewall to send into my address
and i configure my Splunk to recieve on port 514
but i nothing recieve

pleaaaaaase help me!!!!!!!!!!!!!!

Tags (2)
0 Karma
1 Solution

woodcock
Esteemed Legend

I am assuming Linux all the way around. You need to make sure that at each stage the port is active. You can do this with netstat. You also need to make sure you are using UDP everywhere (or TCP everywhere). You also need to make sure that your ports are open everywhere to allow the traffic and lastly that you have routes from each machine that allow the data to travel back AND forth. You can test the ports using netcat command nc; with this you can both receive data (act as Splunk forwarder) and also inject data (act as firewall sender).

View solution in original post

woodcock
Esteemed Legend

I am assuming Linux all the way around. You need to make sure that at each stage the port is active. You can do this with netstat. You also need to make sure you are using UDP everywhere (or TCP everywhere). You also need to make sure that your ports are open everywhere to allow the traffic and lastly that you have routes from each machine that allow the data to travel back AND forth. You can test the ports using netcat command nc; with this you can both receive data (act as Splunk forwarder) and also inject data (act as firewall sender).

Hindoo
Path Finder

thanks a lot
i opened the port 514 udp and it works :))))
https://support.microsoft.com/fr-fr/kb/308127/fr?wa=wsignin1.0

0 Karma

treinke
Builder

Is the built in Windows Firewall on?

There are no answer without questions

treinke
Builder

To Open UDP:514 in Standard Windows Firewall
netsh firewall add portopening UDP 514 "Open UDP 514"

To Open UDP:514 in Advance Windows Firweall
netsh advfirewall firewall add rule name="Open UDP 514" dir=in action=allow protocol=UDP localport=514

There are no answer without questions
0 Karma

Hindoo
Path Finder

Splunk 6.1.2 in windows

0 Karma

treinke
Builder

also make sure the local firewall is allowing udp port 514. What OS is Splunk on?

There are no answer without questions
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Have you verified there is connectivity between the firewall and Splunk? Are you looking in the right place for the received logs?

---
If this reply helps you, Karma would be appreciated.
0 Karma

Hindoo
Path Finder

i tested with ping and there is connectivity 😞

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...