Getting Data In

How to configure a monitor to accept connections from tcp 514

euroa
Engager

I am attempting to setup the Cisco ESA app and on configuring the inputs.conf file I have [monitor://\mail_logs\mail.@20130712T172736.s] per instructions however, I need to ensure the app is listening to tcp port 514. Where can I set that?

0 Karma

ryanoconnor
Builder

You're actually going to need to configure two different inputs here. 1 is for textmail and http logs. The other is for authentication logs.

http://docs.splunk.com/Documentation/AddOns/latest/CiscoESA/ConfigureCiscoESA

For Textmail and HTTP Logs

I would highly recommend following the app instructions as they're laid out pretty nicely. For setting up Splunk to listen on a specific port, you'll want to use the following document http://docs.splunk.com/Documentation/Splunk/latest/Data/Monitornetworkports#Go_to_the_Add_New_page

For authentication logs

You'll want to use a monitor stanza, but you're going to want to monitor the paths to the files that you are receiving from your ESA administrator. If those are the same as you described above, than that monitor stanza should work.

In a file called inputs.conf in $SPLUNK_HOME/etc/apps/Splunk_TA_cisco-esa/local you'll have something like

[monitor://\authentication.@20130302T122552.s]
sourcetype = cisco:esa:authentication

0 Karma

euroa
Engager

I am not able to add data inputs via splunkweb on the heavy forwarder. I need to do it via inputs.conf and the user needs to be able to send data via tcp 514 and not udp. Unfortunately the instructions only mention the monitor portion but not if the port is different.

0 Karma

ryanoconnor
Builder

Ah I see, sorry about that.

So your input should be fairly straight forward

 [tcp://514]
 sourcetype=cisco:esa:http

One thing to note is that if you aren't running Splunk as root, than on many Unix Operating Systems, Splunk won't be able to listen on port 514. You would simply just need to change your input stanza to be a different port and configure your ESA to send to that different port. For example

 [tcp://5140]
 sourcetype=cisco:esa:http
0 Karma

euroa
Engager

Thank You for your response. We have other hosts that are going to port 514. I ve put this into inputs.conf
[tcp://hostname:514]
source = \mail_logs\mail.@20130712T172736.s
sourcetype = cisco:esa:textmail
index = ironport

Do you happen to know if this would work to collect logs from a particular host going to 514?

0 Karma

ryanoconnor
Builder

So in the case of [tcp://:514] as an example:

If you specify , the specified port only accepts data from that host.
If you specify nothing for - [udp://] - the port accepts data sent from any host.

0 Karma

ryanoconnor
Builder

For a Heavy Forwarder, usually it's recommended to collect data using something like syslog-ng or rsyslog. You can however setup a tcp or udp input directly using inputs.conf file. See the following Splunk Documentation:

http://docs.splunk.com/Documentation/Splunk/latest/Data/Monitornetworkports

0 Karma

euroa
Engager

For the location of the monitor then would I place it under source? For ex:
[tcp://:514]
source = \mail_logs\mail.@20130712T172736.s

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...