Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Universal forwarder windows to syslog doesn't work

mmather67
Path Finder
‎08-07-2011 04:56 PM

I am trying to get the Universal Forwarder to forward event logs (System and Security) from Windows to syslog on Linux. Nothing happens. The Linux box does not receive any packets addressed to port 514.

The computers are directly connected, the firewall on the windows machine is off and the netfilter firewall on the linux machine just accepts everything.

The machines can ping each other, and the windows machine can access the linux machine using HTTP.

To create log entries I clear the log file, and windows creates one log record to say that this happens. (I have also tried logging off and on again, and also opening a command window. No better.)

The file . . \etc\system\local\outputs.conf says:

[syslog]
defaultGroup=mysyslog
disabled = false
[syslog:mysyslog]
server=192.168.0.99:514    # the IP of the Linux machine
type=udp

The file ...\etc\system\local\inputs.conf says: (the dashes are actually underlines)

[default]
host=testserver   # the windows machine
[WinEventLog:Security]    # . . and ditto for [WinEventLog:System]
disabled    = 0
start-from  = oldest    # I have tried newest
current-only=0          # I have tried 1 
evt-dc-name = 
evt-dns-name = 
evt-resolve-ad-obj = 0 
checkpointinterval = 5

Any suggestions while I still have some hair?

Reply

Damien_Dallimor
Ultra Champion
‎08-08-2011 03:13 AM

Just to add to chrisrex's post...as port 514 is in the privileged port range, your Splunk Indexer on Linux would have to be run with "root" permissions for UDP port 514 to open.

http://www.splunk.com/base/Documentation/latest/Installation/RunSplunkasadifferentornon-rootuser

Also, you could try running a network sniffer such as "wireshark" on the windows machine to ensure that syslog packets are actually being sent out over the network interface.

0 Karma
Reply

mmather67
Path Finder
‎08-08-2011 12:24 PM

Thanks Damien. See above. Also, I can get the Universal Forwarder to send events to the Indexer, but not to syslog.

And thanks for "wireshark". That is the answer to my next question, which has not been asked yet!

0 Karma
Reply

chrisrex
Explorer
‎08-08-2011 12:11 AM

Can you verify syslog is open on your linux box with netstat -an|grep 514? You should see something like this: udp 0 0 0.0.0.0:514 0.0.0.0:*

0 Karma
Reply

mmather67
Path Finder
‎08-08-2011 12:21 PM

Thanks Chris. Yes, I am running syslogd as root, and I get exactly what you suggest. In addition, tcpdump shows nothing arriving mentioning port 514. I would expect to see it even if the port was closed. It looks like nothing relevant leaves the Windows machine. (But I do see packets addressed to port 9997.)

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...