Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I configure Splunk Heavy Forwarder (HF) to receive logs from SolarWinds SEM

sarvananth
Explorer
‎11-23-2023 06:59 PM

I'm trying to set up a Proof of Concept (POC) environment for Splunk Heavy Forwarder (HF), which is receiving data from SolarWinds SEM.

We are using TCP Port 514 to forward logs from SolarWinds SEM. Both Splunk HF and SolarWinds are using free licenses.

 

SolarWinds has performed the forwarding configuration via the admin console. In the Splunk HF Inputs.conf file, details have been added as below:

[TCP://514]

connection_host = X.X.X.93

sourcetype = *

disabled = false

index = SolarWinds-index

 

Both instances are running on the AWS cloud, same subnet. When I check the Splunk HF interface with the Tcpdump command, I receive the following output:

Splunk Host Name - ip-X-X-X-72.ap-southeast-1.compute.internal

SolarWinds Host Name - ip-X-X-X-93.ap-southeast-1.compute.internal

 

00:58:05.726708 IP ip-X-X-X-72.ap-southeast-1.compute.internal.shell > ip-X-X-X-93.ap-southeast-1.compute.internal.36044: Flags [R.], seq 0, ack 3531075234, win 0, length 0

00:58:05.727636 IP ip-X-X-X-93.ap-southeast-1.compute.internal.36054 > ip-X-X-X-72.ap-southeast-1.compute.internal.shell: Flags [S], seq 3042331467, win 64240, options [ 1460,sackOK,TS  1136916397  0,nop,wscale 7], length 0

 

Splunk HF is receiving logs from the Universal Forwarder (UF) on the Windows server but didn't from SolarWinds SEM.

 

Can anyone advise on this issue?

 

Labels (1)
Labels
Preview file
11 KB
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎11-23-2023 10:21 PM

Hi

1st it's best to use some real syslog server instead of Splunk UF/HF even you can use also Splunk for that. For PoC you can use also Splunk, but in production you should switch this to something else.

Post under 1024 cannot used unless you are sunning process as root. You shouldn't run splunkd as root. For that reason you must switch port to e.g. 1514 or something similar and also configure SolarWindsSEM to use it. 

r. Ismo

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...