- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Linux Syslogd Config
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Linux Syslogd Config
This is not a splunk specific question however it is very related and involves config of syslog on a linux host that will NOT send to my splunk server.
I have a linux server running syslogd ver 1.4.1 and I have added a line to the syslog.conf file that has . @192.168.1.1:64514
(I use port 64514 due to a port conflict but it works). Keep in mind I have this working on other hosts.
When I trigger an event I get nothing on Splunk. If I run a packet capture on the host I do not even see the packets attempting to leave. However, if I remove the port number (64514), I do see traffic leaving on port 514.
Can anyone help with this problem?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Frnd,
See here you have just mentioned the ipaddress of the other host in the syslog.conf file in which where your all logs that listening to the port 514 to be forwarded tell me that have you installed and configured the splunk on the 192.168.1.1 server?.
inform me whether above my comments gave you an idea.
Regards,
Aravinth
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If this is close to the man page for your syslogd, it may not have support for logging to an alternate port: http://linux.die.net/man/8/syslogd
I can recommend rsyslog as a very flexible alternative.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for that. I had "suspected" this was the case but could not see it documented but it does explain why it does not work. I'll go with rsyslog.
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes I am able to get a connection to the ip:port combination.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you check if you are able to connect to the ip port? You can do 'telnet 192.168.1.1 64514' or 'echo "test" | nc 192.168.1.1 64154'.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have now checked and no, the port is not being used.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did you check netstat to see if the port you are trying to use is already in use?
Routing logs with Splunk OTel Collector for Kubernetes
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
