Getting Data In

Edited inputs.conf file, where can I find the log files or can I bring up the results through command line

mahmudomer
Engager

Hi,

I am using Splunk on Ubuntu and edited the inputs.conf file to look at an IP address which I hope is working.

I want to look in the log file to test if its working but I am unable to locate which log files it would be located in.

Also if someone could post part of their inputs.conf file just so I can make sure I am inputting the stanza correctly that would be amazing.

Any help would be appreciated.
Thanks.

0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

That'll listen for TCP data on port 23, so connection attempts without any data aren't going to show. This is for an application sending you splunkable data as a TCP stream.

Instead, you should get your local firewall to log these attempts and splunk the firewall logs.

View solution in original post

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

If you didn't specify an index then they will end up in index=main. Look for tcp, that IP, and that port in the source field.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

That'll listen for TCP data on port 23, so connection attempts without any data aren't going to show. This is for an application sending you splunkable data as a TCP stream.

Instead, you should get your local firewall to log these attempts and splunk the firewall logs.

0 Karma

mahmudomer
Engager

Thanks Someoni2, thats very helpful.

Hi Martin,
This is my inputs.conf posted.

[default]
host = mahmud-X551CA

[tcp-ssl:]

[tcp:192.168.1.88:23]

Which I think may have been incorrect accroding to the file that someoni2 posted.

And sorry for the bad description of look at an IP adress. I should of said look for any data recieved from a specific IP Address.

I am currently doing a university project and I am trying to find out how Splunk can alert me if any connections or data is received from specific IP addresses without using any apps.

Thanks.

0 Karma

mahmudomer
Engager

Thanks Martin,
I will use it both ways and see if their is a difference on how Splunk displays the ouput. One more question, where do I find the logs to display these specific results. I have quite a lot of log files but they do not seem to be reffereing to the rule that I have set.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

You can see the example inputs.conf from the documentation. See this
http://docs.splunk.com/Documentation/Splunk/6.1.2/Admin/Inputsconf#inputs.conf.example

You can search questions with "inputs.conf" to see more samples in this forum.

martin_mueller
SplunkTrust
SplunkTrust

Do post your inputs.conf settings - for example, I'm not quite sure what you mean by "look at an IP address".

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...