You can configure Splunk to listen on a > 1024 port and use Linux's iptables to do port redirection.
For example, configure in inputs.conf: [udp:1049]
And put into your iptables config:
iptables -t nat -A PREROUTING -p udp --dport 514 -j REDIRECT --to-port 1049
Also check conncetion between forwarder and receiver
Refer this link:
you need to enable forwarder receiving port on indexer :
refer this link to do the same:
Let me know if this helps!
... View more