Getting Data In

Problems creating an UDP input: Error binding to socket in UDPInputProcessor: Permission Denied

psobisch
Path Finder

Hello,

After a new installation of universal forwarder 6.1.2 on a new RHEL6 machine we have just copied the appropriate app directory to the new forwarder (a procedure which was working every time in the past) but now, we've got a problem because the input which was configured in the app (udp://514), was not created.

Inside of splunkd.log I found:

Error binding to socket in UDPInputProcessor: Permission Denied

Splunk is running as splunk:splunk.

What went wrong?
Do you have any hints?

Regards,
Peter

Tags (2)
0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Non-root users cannot bind to ports below 1024 on Linux systems.

You could forward 514 to e.g. 5140 and have Splunk listen on that (talk to your Linux admins), or have your sources send data on a different port, or - probably best - have a syslog daemon receive the data on 514, write it to log files, and let the forwarder read those.

psobisch
Path Finder

thanks! Just forgotten it! 🙂
I was confused because we have an older instance of forwarder running with the same app, but, in fact splunk was running as root.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...