Hi nilesh8.
I'm not familiar with that particular firewall, but I'm assuming that it is capable of sending Syslog messages.
You can configure Splunk to accept Syslog messages by following the steps in this link: http://docs.splunk.com/Documentation/Splunk/5.0.4/Data/SyslogUDP
Hope this helps 🙂
I have found following entries in splunk log
08-26-2013 04:22:05.656 -0700 INFO TcpInputConfig - performing DNS lookup on 192.168.2.1
Also i tried it to configure via SNMP and found below log
CarrierError: bind() for (u'192.168.2.1', 162) failed: [Errno 10049] The requested address is not valid in its context
My only other suggestions at this point would be to narrow down the possible cause:
- Redirect a device/server with a known-good syslog generation at Splunk
- Point your firewall at a known/good syslog collector
- Look at the event in $SPLUNK_HOME/var/log/splunk/splunkd.log to see any potential issues
Everything you've mentioned indicates you've set it up correctly, so it's time for troubleshooting now 🙂
I have configured it via tcp and udp port 514 still i am waiting for logs.
I have configured it with TCP 514 only
TCP port = 514
Source type = syslog
Status = Enabled
Ahhh one other point I forgot to mention, have you confirmed that Splunk is set up to receive TCP 514?
- Manager > Data Inputs > TCP > Add New
You might want to do the same for UDP just to be sure.
I have configured it by TCP port and also disabled server firewall but still not see any logs on splunk
A few things I'd check:
- Ensure Syslog is being sent by TCP not UDP
- Temporarily disable the server firewall on the Splunk server to see whether that's a factor
Hi Turk,
Thanks for reply. I have configured it via syslog udp port 514. But i am not able to see any logs in splunk also not show the connection in 'netstat' command.