- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Universal forwarder windows to syslog doesn't work
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Universal forwarder windows to syslog doesn't work
I am trying to get the Universal Forwarder to forward event logs (System and Security) from Windows to syslog on Linux. Nothing happens. The Linux box does not receive any packets addressed to port 514.
The computers are directly connected, the firewall on the windows machine is off and the netfilter firewall on the linux machine just accepts everything.
The machines can ping each other, and the windows machine can access the linux machine using HTTP.
To create log entries I clear the log file, and windows creates one log record to say that this happens. (I have also tried logging off and on again, and also opening a command window. No better.)
The file . . \etc\system\local\outputs.conf says:
[syslog]
defaultGroup=mysyslog
disabled = false
[syslog:mysyslog]
server=192.168.0.99:514 # the IP of the Linux machine
type=udp
The file ...\etc\system\local\inputs.conf says: (the dashes are actually underlines)
[default]
host=testserver # the windows machine
[WinEventLog:Security] # . . and ditto for [WinEventLog:System]
disabled = 0
start-from = oldest # I have tried newest
current-only=0 # I have tried 1
evt-dc-name =
evt-dns-name =
evt-resolve-ad-obj = 0
checkpointinterval = 5
Any suggestions while I still have some hair?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just to add to chrisrex's post...as port 514 is in the privileged port range, your Splunk Indexer on Linux would have to be run with "root" permissions for UDP port 514 to open.
http://www.splunk.com/base/Documentation/latest/Installation/RunSplunkasadifferentornon-rootuser
Also, you could try running a network sniffer such as "wireshark" on the windows machine to ensure that syslog packets are actually being sent out over the network interface.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Damien. See above. Also, I can get the Universal Forwarder to send events to the Indexer, but not to syslog.
And thanks for "wireshark". That is the answer to my next question, which has not been asked yet!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you verify syslog is open on your linux box with netstat -an|grep 514? You should see something like this: udp 0 0 0.0.0.0:514 0.0.0.0:*
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Chris. Yes, I am running syslogd as root, and I get exactly what you suggest. In addition, tcpdump shows nothing arriving mentioning port 514. I would expect to see it even if the port was closed. It looks like nothing relevant leaves the Windows machine. (But I do see packets addressed to port 9997.)
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
