Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I configure Splunk Heavy Forwarder (HF) to receive logs from SolarWinds SEM

sarvananth
Explorer
‎11-23-2023 06:59 PM

I'm trying to set up a Proof of Concept (POC) environment for Splunk Heavy Forwarder (HF), which is receiving data from SolarWinds SEM.

We are using TCP Port 514 to forward logs from SolarWinds SEM. Both Splunk HF and SolarWinds are using free licenses.

 

SolarWinds has performed the forwarding configuration via the admin console. In the Splunk HF Inputs.conf file, details have been added as below:

[TCP://514]

connection_host = X.X.X.93

sourcetype = *

disabled = false

index = SolarWinds-index

 

Both instances are running on the AWS cloud, same subnet. When I check the Splunk HF interface with the Tcpdump command, I receive the following output:

Splunk Host Name - ip-X-X-X-72.ap-southeast-1.compute.internal

SolarWinds Host Name - ip-X-X-X-93.ap-southeast-1.compute.internal

 

00:58:05.726708 IP ip-X-X-X-72.ap-southeast-1.compute.internal.shell > ip-X-X-X-93.ap-southeast-1.compute.internal.36044: Flags [R.], seq 0, ack 3531075234, win 0, length 0

00:58:05.727636 IP ip-X-X-X-93.ap-southeast-1.compute.internal.36054 > ip-X-X-X-72.ap-southeast-1.compute.internal.shell: Flags [S], seq 3042331467, win 64240, options [ 1460,sackOK,TS  1136916397  0,nop,wscale 7], length 0

 

Splunk HF is receiving logs from the Universal Forwarder (UF) on the Windows server but didn't from SolarWinds SEM.

 

Can anyone advise on this issue?

 

Labels (1)
Labels
Preview file
11 KB
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎11-23-2023 10:21 PM

Hi

1st it's best to use some real syslog server instead of Splunk UF/HF even you can use also Splunk for that. For PoC you can use also Splunk, but in production you should switch this to something else.

Post under 1024 cannot used unless you are sunning process as root. You shouldn't run splunkd as root. For that reason you must switch port to e.g. 1514 or something similar and also configure SolarWindsSEM to use it. 

r. Ismo

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...