Hi All,
I have configure the UDP port in data input on port 514 but still no luck in receiving any syslog data from network devices ,
We have configured neat about 20 devices to forward the logs via udp(514) to our splunk indexer but none are shown under search data summery.
Splunk Enterprise running on Windows Server 2012 .
Kindly help it to get it resolved.
Thanks in advanced.
Try using powershell to put data into the indexer and let me know if it works.
function logSend([string]$s) {
#write to UDP
$ip=@("127.0.0.1") #array of IPs to send UDP data to
$port=514
$ip | foreach {
$Address = [system.net.IPAddress]::Parse($_)
$udpClient = New-Object system.net.sockets.udpclient
try{ #connect the UDP object to localhost and send the $msg ASCII encoded
$udpClient.Connect($address, $port);
$sendBytes=[Text.Encoding]::ASCII.GetBytes($s)
$udpClient.Send($sendBytes, $sendBytes.Length)
$udpClient.Close();
}
catch { write-host $error }
}
}
logSend("test event")
Did you dump traffic to see that traffic on port 514 is actually reaching the machine?
Another thing to try when verifying things is to run a realtime search in Splunk. That way you see exactly what data is coming in, so if there are issues with incorrect timestamps for instance you would still see the logs coming in with the realtime search.
Hello @ayn and @sumit29,
I am facing the same problem now. I have configured the UDP port 514 in data input (local input, not forwarded inputs) but still no luck in receiving any data from data sending device (verified that data is coming in till that).
No data is shown under search data summery.
Splunk Enterprise v 6.3 is running on Windows 7 machine.
Please enlighten others by help solving this issue.
Still waiting for the reply
Hi , Thanks for the quick reply .
I did netstat on indexer and its listening on the UDP 514 port .
Windows firewall is disabled .
I have downloaded the snare agent also to forward the logs to indexer there also no luck,
Version running splunk 6.2
Kindly help go stuck .
Troubleshooting tips: