Splunk Search

what range of udp/tcp ports can be used for various log sources ?

damode
Motivator

I have 3 different log sources sending logs to Splunk from a number of hosts on on udp 514.

Breakdown : WLC (5-6 hosts), ESX(8) and Eqallogic (6). However, so far I am only getting data from WLC hosts.

I am thinking of assigning different udp ports for esx and equallogic hosts to ease categorization on Splunk?

What would be the ideal ports for the above log sources ? Please advise

Tags (1)
0 Karma
1 Solution

Damien_Dallimor
Ultra Champion

Any free UDP port > 1024 so that you don't have to run Splunk under a user account with superuser privileges (required to open ports < 1024).
I also try to avoid UDP ports that are the default for common services also.

Also worth considering that you can still send these 3 sourcetypes to the same UDP port(source) and then in your props.conf / transforms.conf have a rule that sets the sourcetype field based on the received data. This would also solve your need for easier categorization.

Example here : http://docs.splunk.com/Documentation/SplunkCloud/6.6.1/Data/Advancedsourcetypeoverrides

View solution in original post

Damien_Dallimor
Ultra Champion

Any free UDP port > 1024 so that you don't have to run Splunk under a user account with superuser privileges (required to open ports < 1024).
I also try to avoid UDP ports that are the default for common services also.

Also worth considering that you can still send these 3 sourcetypes to the same UDP port(source) and then in your props.conf / transforms.conf have a rule that sets the sourcetype field based on the received data. This would also solve your need for easier categorization.

Example here : http://docs.splunk.com/Documentation/SplunkCloud/6.6.1/Data/Advancedsourcetypeoverrides

damode
Motivator

Hi @Damien,

Thanks for your input. I found that list very useful.

In that list 1514 and 1515 is not mentioned, however, I am already using 1514 for meraki. would it be safe to use 1515 for esx hosts?

I am using props.conf / transforms.conf for Equallogic.

0 Karma

cpetterborg
SplunkTrust
SplunkTrust

The following information assumes the use of a syslog server so that you have wide control of the syslog data as it comes in.

We use the different ports for different indexes and/or sourcetype. We have the ports 51400 through 51499 set aside for those definitions and there doesn't seem to be any conflicts that we have had. That range is nice because it starts with 514 (which is the default syslog port).

In addition, you can set up an additional IP address and use the same port 514 on that IP address and do the same thing. Those are useful for devices/systems that can only use port 514, but you want to use a different source/index/sourcetype/etc.

damode
Motivator

We have data coming directly to Heavy Forwarder, can we still use the above ports ?/

0 Karma

cpetterborg
SplunkTrust
SplunkTrust

Yes, these ports should not be in use by anything else. They do not interfere with anything that Splunk uses currently.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...