I have an ASA firewall sending data to my splunk server (syslog port 514). When I run tcpdump...
tcpdump -i eth1 host 172.28.8.234 > test.txt
I get data dumped. It looks like...
11:15:53.627144 IP 172.28.8.234.syslog > 172.28.60.163.syslog: SYSLOG local4.info, length: 145
11:15:53.628353 IP 172.28.8.234.syslog > 172.28.60.163.syslog: SYSLOG local4.info, length: 146
11:15:53.629599 IP 172.28.8.234.syslog > 172.28.60.163.syslog: SYSLOG local4.info, length: 181
But when I search splunk for the ip 172.28.8.234, I get jack squat. What are some reasons splunk would not be logging this data? Splunk is listening on UDP port 514...
~# nmap -sU localhost
Starting Nmap 5.00 ( http://nmap.org ) at 2013-05-03 11:20 EDT
Warning: Hostname localhost resolves to 2 IPs. Using 127.0.0.1.
Interesting ports on localhost (127.0.0.1):
Not shown: 998 closed ports
PORT STATE SERVICE
123/udp open|filtered ntp
514/udp open|filtered syslog
... View more