Splunk Enterprise

Splunk can't get data from remote machines

pacifikn
Communicator

Dear All,

Greetings!! 

I need your help,

 Splunk server for log collector x.x.x.x port=y  can't receive data from all syslog sender that send data to this log collector server. And I have check the port by doing telnet 

-->   telnet IP port  :     telnet x.x.x.x  y and It is not responding,

what to do/check if you find this IP and port is not responding.....and this cause to not receive logs from all syslog sender.  

Kindly help me how to troubleshoot this, Thank you in advance

 

Labels (2)
Tags (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

You should ask your network team for help with the ASA.

The server on which Splunk is running may have its own software firewall (iptables or the like).  It, too, must be checked to make sure it's not blocking the port.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

nickhills
Ultra Champion

If the syslog receiver is using UDP you can't test it with telnet, instead try netcat.

nc -z -v -u <your_IP> <your_port_number>

 

Although, a good start is to use netstat on the recieving host and confirm the host is listening on the right interface/port/proto!

netstat -ln|grep <your_port_number>

 

If my comment helps, please give it a thumbs up!
0 Karma

pacifikn
Communicator

Dear nickhills,

I have tried the the below, here is what i get:

1.         nc -z -v -u  public-IP  port 

output:

Ncat: Version 7.50 (https:/nmap.org/ncat)

Ncat: Connected to Public-IP:port.

Ncat: UDP Packet sent successfully

Ncat: 1 bytes sent, 0 bytes received in 2.06 seconds.

 

2.      netstat -ln | grep port 

tcp    0     0.0.0.0:port       0.0.0.0:*            LISTEN

udp   0      0.0.0.0:port       0.0.0.0:*                         

That are the output of the above command, in the second command there's no listening? how can I fix this? what is the issue ?

Tags (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Have you verified something is listening to that address and port?  Have you checked your firewalls?

---
If this reply helps you, Karma would be appreciated.
0 Karma

pacifikn
Communicator

dear @richgalloway 

May you help me and share with me the command I can use to check the below information you shared? I use centos 7 ? 

I htave checked the syslog sender all are configured well to send logs into Splunk server log collector, But the problem is that I can't receive logs into splunk server log collector , what are the all troubleshooting to go through to check the root cause??kindly share with me all the command i can use to check all the services? 

Thank you

 

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

To determine if a process is listening to a port, use the netstat command.

netstat -ln | grep y

Since I don't know what firewall you use I can't suggest commands to check it.  Consult your system admin (or Google). 

---
If this reply helps you, Karma would be appreciated.
0 Karma

pacifikn
Communicator

@richgalloway 

netstat -ln | grep 514

tcp      0       0.0.0.0:514         0.0.0.0:*     LISTEN

udp     0      0.0.0.0:514          0.0.0.0:*                        

this the output I got from the above command.  In udp line there's no LISTEN info appeared , this is how should be or this means that is not listening? 

AND

nc -u x.x.x.x 514 , I got flashing point

0 Karma

richgalloway
SplunkTrust
SplunkTrust

You should ask your network team for help with the ASA.

The server on which Splunk is running may have its own software firewall (iptables or the like).  It, too, must be checked to make sure it's not blocking the port.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...