Hi all,
I am currently having trouble finding the steps on how to forward the Syslogs from an Aruba switch into Splunk. The Aruba switch is set up to forward the syslogs through the correct IP to Port 9997 which is the Splunk Default. My issue is that these Syslogs are not coming through or not visible. I have confirmed the computer can detect the switch and the switch sees the computer, Why are the syslogs not being forwarded? I have installed the Aruba Network Add-on for Splunk but the result has not changed.
If someone know the correct steps to set this up would they be able to provide them?
Any help is greatly appreciated.
Kind regards,
Ben
Port 9997 is indeed a default port but not for receiving syslog data (for that you'd need to explicitly enable a tcp or udp input) but for splunk to splunk communication (like forwarding data from splunk forwarders to indexers).
For a simple setup a direct tcp or udp, depending on what you use, input on your receiving indexer might be sufficient but it's recommended to use an external syslog receiver and either write to files and ingest those files with UF (the old way) or forward the data to HEC input (the new way).