I've setup a data input for syslog on both TCP and UDP 514. Pretty straight forward and I've verified I am getting logs into splunk from actual syslog servers, however I'm having a interesting problem with netapp devices.
The netapp devices are configured to send their syslog directly to the IP address of the splunk server. I can see the messages coming in via UDP if I run TCP dump however these never show up in a search.
In fact the only way I can get these messages to show up is to delete the UDP data input and setup an actual syslog daemon for UDP/514 and then log to a file, which then splunk picks up.
There is no firewall or acl blocking the syslog access to the splunk box so I'm at a loss as to why these messages are having so much trouble.
Anyone see this? Anyone else using splunk for monitoring of netapp data?
Thank you,
Erric
... View more