Splunk Search

what range of udp/tcp ports can be used for various log sources ?

damode
Motivator

I have 3 different log sources sending logs to Splunk from a number of hosts on on udp 514.

Breakdown : WLC (5-6 hosts), ESX(8) and Eqallogic (6). However, so far I am only getting data from WLC hosts.

I am thinking of assigning different udp ports for esx and equallogic hosts to ease categorization on Splunk?

What would be the ideal ports for the above log sources ? Please advise

Tags (1)
0 Karma
1 Solution

Damien_Dallimor
Ultra Champion

Any free UDP port > 1024 so that you don't have to run Splunk under a user account with superuser privileges (required to open ports < 1024).
I also try to avoid UDP ports that are the default for common services also.

Also worth considering that you can still send these 3 sourcetypes to the same UDP port(source) and then in your props.conf / transforms.conf have a rule that sets the sourcetype field based on the received data. This would also solve your need for easier categorization.

Example here : http://docs.splunk.com/Documentation/SplunkCloud/6.6.1/Data/Advancedsourcetypeoverrides

View solution in original post

Damien_Dallimor
Ultra Champion

Any free UDP port > 1024 so that you don't have to run Splunk under a user account with superuser privileges (required to open ports < 1024).
I also try to avoid UDP ports that are the default for common services also.

Also worth considering that you can still send these 3 sourcetypes to the same UDP port(source) and then in your props.conf / transforms.conf have a rule that sets the sourcetype field based on the received data. This would also solve your need for easier categorization.

Example here : http://docs.splunk.com/Documentation/SplunkCloud/6.6.1/Data/Advancedsourcetypeoverrides

damode
Motivator

Hi @Damien,

Thanks for your input. I found that list very useful.

In that list 1514 and 1515 is not mentioned, however, I am already using 1514 for meraki. would it be safe to use 1515 for esx hosts?

I am using props.conf / transforms.conf for Equallogic.

0 Karma

cpetterborg
SplunkTrust
SplunkTrust

The following information assumes the use of a syslog server so that you have wide control of the syslog data as it comes in.

We use the different ports for different indexes and/or sourcetype. We have the ports 51400 through 51499 set aside for those definitions and there doesn't seem to be any conflicts that we have had. That range is nice because it starts with 514 (which is the default syslog port).

In addition, you can set up an additional IP address and use the same port 514 on that IP address and do the same thing. Those are useful for devices/systems that can only use port 514, but you want to use a different source/index/sourcetype/etc.

damode
Motivator

We have data coming directly to Heavy Forwarder, can we still use the above ports ?/

0 Karma

cpetterborg
SplunkTrust
SplunkTrust

Yes, these ports should not be in use by anything else. They do not interfere with anything that Splunk uses currently.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...