Unfortunately it doesn't work.
IP-Tables NAT: /usr/sbin/iptables -t nat -A PREROUTING -m udp -p udp --dport 514 -j REDIRECT --to-ports 5447
Firewall entries for 5447 and 514
Entry in $SPLUNK_HOME/etc/system/local/inputs.conf
[udp://10.23.112.64:5447]
disabled = false
sourcetype = syslog
index = switches
This creates a new data input.
I struggeling with your command, because the splunk running user has some security protection, so that I can't execute it.
In metrics.log I have some of these entries:
04-19-2018 13:43:59.762 +0200 INFO Metrics - group=udpin_connections, 10.23.112.64:5447, sourcePort=5447, _udp_bps=0.00, _udp_kbps=0.00, _udp_avg_thruput=0.00, _udp_kprocessed=0.00, _udp_eps=0.00
Otherwise I can't find any data in splunk to the switch.
... View more