Cisco ASA: 10.10.50.1
Indexer: 10.10.50.11
Forwarder: 10.10.50.12
In the command line, are you referring "src host" as indexer or Cisco asa?
I tried to run the command from forwarder pointing src host as both indexer and cisco asa but result shows No such device. Am I running the command correctly and from the right directory location?
Sorry I'm a newbie just 4mth into Splunk, trying to understand how everything works. It's quite difficult trying to learn everything by myself alone, it would be x10 times faster if someone taught me how to do it.
Please see output below:
From Forwarder pointing src host as Indexer 10.10.50.11
root@forwarder:~# tcpdump -vvv -i 10.10.50.11 udp port 514
tcpdump: 10.10.50.11: SIOCETHTOOL(ETHTOOL_GET_TS_INFO) ioctl failed: No such device
root@forwarder:~# tcpdump -vvv -i 10.10.50.11 tcp port 514
tcpdump: 10.10.50.11: SIOCETHTOOL(ETHTOOL_GET_TS_INFO) ioctl failed: No such device
From Forwarder pointing src host as Cisco ASA 10.10.50.1
root@forwarder:~# tcpdump -vvv -i 10.10.50.1 udp port 514
tcpdump: 10.10.50.1: SIOCETHTOOL(ETHTOOL_GET_TS_INFO) ioctl failed: No such device
root@forwarder:~# tcpdump -vvv -i 10.10.50.1 tcp port 514
tcpdump: 10.10.50.1: SIOCETHTOOL(ETHTOOL_GET_TS_INFO) ioctl failed: No such device
I'm not sure what's going on but my gut tells me that Ciasco asa is not communicating with syslog-ng which is installed on the forwarder server.
I installed TCPdump and tried running it for the first time use, I'm not sure if some ports are missing or anything but I'm not sure where to look.
Does everything look ok? Or anything doesn't look right?
TCPDUMP output from forwarder
root@forwarder:~# tcpdump -i ens160
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens160, link-type EN10MB (Ethernet), capture size 262144 bytes
10:08:21.205181 IP 10.10.50.1.syslog > 10.10.50.12.syslog: SYSLOG local5.error, length: 141
10:08:21.205221 IP 10.10.50.12 > 10.10.50.1: ICMP 10.10.50.12 udp port syslog unreachable, length 177
10:08:21.205963 IP 10.10.50.12.28344 > dns1.tpgi.com.au.domain: 38283+ PTR? 12.50.10.10.in-addr.arpa. (42)
10:08:21.208036 IP dns1.tpgi.com.au.domain > 10.10.50.12.28344: 38283 NXDomain 0/1/0 (119)
10:08:21.208235 IP 10.10.50.12.45615 > dns1.tpgi.com.au.domain: 57567+ PTR? 1.50.10.10.in-addr.arpa. (41)
10:08:21.209522 IP dns1.tpgi.com.au.domain > 10.10.50.12.45615: 57567 NXDomain 0/1/0 (118)
10:08:21.209752 IP 10.10.50.12.38074 > dns1.tpgi.com.au.domain: 11768+ PTR? 35.160.12.203.in-addr.arpa. (44)
10:08:21.211518 IP dns1.tpgi.com.au.domain > 10.10.50.12.38074: 11768 1/2/0 PTR dns1.tpgi.com.au. (110)
10:08:21.332932 IP 10.10.50.12.35998 > 10.10.50.11.9997: Flags [P.], seq 4241108933:4241109329, ack 1934590004, win 237, options [nop,nop,TS val 128417542 ecr 285094319], length 396
10:08:21.333142 IP 10.10.50.11.9997 > 10.10.50.12.35998: Flags [.], ack 396, win 1452, options [nop,nop,TS val 285094735 ecr 128417542], length 0
[2]+ Stopped tcpdump -i ens160
TCPDUMP output from Indexer
root@indexer:~# tcpdump -i ens160
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens160, link-type EN10MB (Ethernet), capture size 262144 bytes
17:35:54.469974 IP 10.10.50.12.35998 > 10.10.50.11.9997: Flags [P.], seq 4241118889:4241119208, ack 1934590004, win 237, options [nop,nop,TS val 128428299 ecr 285104916], length 319
17:35:54.470013 IP 10.10.50.12.60808 > 10.10.50.11.9997: Flags [S], seq 604967860, win 29200, options [mss 1460,sackOK,TS val 128428299 ecr 0,nop,wscale 7], length 0
17:35:54.470038 IP 10.10.50.11.9997 > 10.10.50.12.35998: Flags [.], ack 319, win 1452, options [nop,nop,TS val 285105492 ecr 128428299], length 0
17:35:54.470052 IP 10.10.50.11.9997 > 10.10.50.12.60808: Flags [S.], seq 2536124428, ack 604967861, win 28960, options [mss 1460,sackOK,TS val 285105492 ecr 128428299,nop,wscale 7], length 0
17:35:54.470199 IP 10.10.50.12.60808 > 10.10.50.11.9997: Flags [.], ack 1, win 229, options [nop,nop,TS val 128428299 ecr 285105492], length 0
17:35:54.470254 IP 10.10.50.12.60808 > 10.10.50.11.9997: Flags [F.], seq 1, ack 1, win 229, options [nop,nop,TS val 128428299 ecr 285105492], length 0
17:35:54.470520 IP 10.10.50.11.9997 > 10.10.50.12.60808: Flags [F.], seq 1, ack 2, win 227, options [nop,nop,TS val 285105492 ecr 128428299], length 0
17:35:59.441948 IP 10.10.50.12.35998 > 10.10.50.11.9997: Flags [P.], seq 319:688, ack 1, win 237, options [nop,nop,TS val 128429542 ecr 285105492], length 369
17:35:59.442022 IP 10.10.50.11.9997 > 10.10.50.12.35998: Flags [.], ack 688, win 1452, options [nop,nop,TS val 285106735 ecr 128429542], length 0
17:35:59.442137 IP 10.10.50.12.35998 > 10.10.50.11.9997: Flags [P.], seq 688:779, ack 1, win 237, options [nop,nop,TS val 128429542 ecr 285106735], length 91
17:35:59.442169 IP 10.10.50.11.9997 > 10.10.50.12.35998: Flags [.], ack 779, win 1452, options [nop,nop,TS val 285106735 ecr 128429542], length 0
[7]+ Stopped tcpdump -i ens160
... View more