Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Data Inputs / TCP or UDP

Pierre
Engager
‎03-10-2011 09:31 PM

I am not very familiar with Splunk and syslog servers in general, but I am trying to learn. There is a "Broadcast on LAN" option in the "Syslog" section of my Netgear router, but I do not know which port number to use in Splunk when I activate the syslog broadcast. I have contacted Netgear but I haven't been able to get a clear answer and they keep telling me to contact Splunk even though I told them that I can use any port number I want in "Data Inputs / TCP" or "Data Inputs / UDP". Their last suggestion was to use port forwarding or port triggering but I am not that this is what I should be doing. I realize that I am starting from scratch but would appreciate any help you can give me to get started. Many thanks in advance.

Tags (2)
0 Karma
Reply

Pierre
Engager
‎03-12-2011 09:23 AM

Ayn and Leo, many thanks for your help.

As suggested by Leo, I used the "Send to this Syslog server IP address" option on the Netgear router and entered my main computer's IP address (192.168.0.2). I run the Splunk server on this computer.

When I then tried to set-up a new UDP data input, Splunk returned “Encountered the following error while trying to save: In handler 'udp': UDP port 514 is not available”. I was able to solve this thanks to gabedimeglio’s answer to: http://answers.splunk.com/questions/1653/cant-add-udp-input-because-of-error-udp-port-514-is-not-ava.... The key was to use “sudo ./splunk start” rather than just “./splunk start”.

I can now see the router’s syslog events in splunk>Search so it seems that I am all set now.

Thanks again (and to gabedimelio too)!

Reply

Leo
Splunk Employee
Splunk Employee
‎03-10-2011 10:40 PM

On the same page of your Netgear router there should be another option called "Send to this syslog server IP address" followed by space where you should type the IP address of your machine with Splunk. Then on Splunk go to Data Inputs/UDP and type 514 as the port number. Your syslog data should start flowing in.

0 Karma
Reply

Ayn
Legend
‎03-10-2011 09:38 PM

Syslog broadcast is a new concept to me! Doesn't sound very efficient...but, the easiest thing would probably be to run tcpdump on a box on the LAN, for instance the box you're running Splunk on. If it's indeed syslog though, it should be UDP port 514.

Reply
Get Updates on the Splunk Community!

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...