Hi all,
Just wondering if someone can help me sourcing syslog events from Netcomm router. I tried enabling the syslog from the modem config using default UDP 514 port, but not sure what IP address to put for the Splunk server? I am using the free version and my modem router is Netcomm. Step by step instruction is greatly appreciated. Also, I am very new in the world of networking and log management, but am very keen to learn this domain.
Cheers
Vish
I'm going to assume that you installed Splunk on either your local machine or a machine in your home lab. Once you've installed Splunk, write down the IP of that machine where Splunk is running. That will be the IP of the Splunk server that you will tell your modem to send its syslog data.
Now, if you're running Splunk on a Windows machine, you will need to open the firewall to allow UDP 514. If you're running Splunk on Linux (or Mac OS X), then you'll either have to run Spunk as root or change the port that your modem is sending syslog to 1514 UDP. Also, if you have the firewall running (iptables or mac firewall) you will need to open the port as well.
If you're modem allows you to change the port from 514 to 1514 (UDP), then all you have to do is modify the input in Splunk to reflect the new UDP port.
You can also just move the inputs.conf file from the $SPLUNK_HOME/etc/apps/homemonitor/default/inputs.conf and put it into $SPLUNK_HOME/etc/apps/homemonitor/local and just make the following changes:
[udp://514]
connection_host = dns
sourcetype=syslog
index = homemonitor
disabled = 0
to
[udp://1514]
connection_host = dns
sourcetype=syslog
index = homemonitor
disabled = 0
To do this from the Web GUI, go to Settings -> Data Inputs -> UDP and click on Add. For the port put in 1514 and then click Next.
In the next screen, under Index, make sure you select the dropdown and select Homemonitor. Click Review and then click Submit.
That should get you to start collecting data into your home monitor app. To check, go to the Search in the homeomitor app and type in index=homemonitor and hit enter. You should start to see data streaming into Splunk.