Splunk Search

Traffic getting to server, but not getting splunk'd.

rblalock
New Member

I have an ASA firewall sending data to my splunk server (syslog port 514). When I run tcpdump...

tcpdump -i eth1 host 172.28.8.234 > test.txt

I get data dumped. It looks like...

11:15:53.627144 IP 172.28.8.234.syslog > 172.28.60.163.syslog: SYSLOG local4.info, length: 145
11:15:53.628353 IP 172.28.8.234.syslog > 172.28.60.163.syslog: SYSLOG local4.info, length: 146
11:15:53.629599 IP 172.28.8.234.syslog > 172.28.60.163.syslog: SYSLOG local4.info, length: 181

But when I search splunk for the ip 172.28.8.234, I get jack squat. What are some reasons splunk would not be logging this data? Splunk is listening on UDP port 514...

~# nmap -sU localhost

Starting Nmap 5.00 ( http://nmap.org ) at 2013-05-03 11:20 EDT
Warning: Hostname localhost resolves to 2 IPs. Using 127.0.0.1.
Interesting ports on localhost (127.0.0.1):
Not shown: 998 closed ports
PORT STATE SERVICE
123/udp open|filtered ntp
514/udp open|filtered syslog

Tags (1)
0 Karma
1 Solution

yannK
Splunk Employee
Splunk Employee
0 Karma

yannK
Splunk Employee
Splunk Employee
0 Karma

rblalock
New Member

Excellent. Thanks very much.

0 Karma

Ayn
Legend

Also the data with sourcetype 'syslog' gets its host value from the host value specified in the events, which is not necessarily the same as the IP address of the host the events were received from.

0 Karma
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!

Review:





Or Learn More in Our Blog >>