Splunk Search

How to check whether splunk is receiving logs from particular IP

alexspunkshell
Contributor

Hi Guys,
Syslog is sent to forwarder IP through TCP 514 port. I am unable to receive those syslog in forwarder or indexer.
How to check whether syslog is received in forwarder ?
How to receive those syslog in indexer ?

Tags (1)
0 Karma

FrankVl
Ultra Champion

Checking for incoming traffic on the forwarder can be done with tools like tcpdump (wireshark on windows).

For example (replace the IP address with the one you're looking for): tcpdump -A -nn -i any src host 10.0.0.1 and dst port 514

If traffic is showing in tcpdump, the issue is on the forwarder server. Either local firewall is blocking, or splunk is not actually listening. Or the issue is further down the pipeline, with data not making it to the indexer, or being processed badly (wrong timestamping or so) which prevents you from seeing it in search results.

If you have confirmation that the data is arriving at the forwarder, feel free to share your splunk configuration to receive further feedback.

axcastillo
Engager

@FrankVl That tcpdump command is golden for troubleshooting any tcpin input.  I just used it to show that Splunk was indeed receiving the data but a bad timestamp was causing the "lag".  Saved this command for future troubleshooting sessions. Thanks for sharing it with us.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...