I am trying to forward events from my current SIEM to the Universal forwarder using UDP and port 9514. When I run a trace I see data coming in but I don't see it being picked up the forwarder. I have tried adding the host = IP of the forwarding device.
What am I missing?
Thanks!
I'm not sure the UF can forward UDP as I've never seen that configuration.
The accepted Best Practice for syslog is to send syslog data to a dedicated syslog server (rsyslog, syslog-ng, etc.). A UF is installed on the syslog server to forward data to Splunk.
If I can configure my event source to send via TCP instead of UDP to the UF will that work?
It's most common to have a UF monitor files or directories, but in theory it can do UDP or TCP. What are your inputs.conf settings? Have you verified port 9514 is not in use by another process?
[monitor:///trvapps/logs/mcafee-siem]
host = xx.xx.xx.xx - host of the UDP events
index = mcafeesiem
sourcetype = syslog_ng
disabled = 0
I ran a trace and validate I am seeing data from the IP over 9514.
Monitor stanzas are for watching changes to files and directories.
To listen to a TCP or UDP port, you must use a TCP or UDP stanza.
[UDP://9514]
acceptFrom: xx.xx.xx.xx
index = mcafeesiem
sourcetype = syslog_ng
disabled = 0
Thank You, when I look in the UI under settings->Data Inputs -> UDP I see the source type as tippingpoint,, do I need to make my source type in the inputs.conf file? Can I change this to mcafeesiem?
Thanks!
So it sounds like you already have a UDP listener defined. If that's true, you may need to select a different port for the SIEM.
UFs usually don't have a GUI so I hope you're looking at the right thing. Typically, one modifies a UF configuration by editing .conf files or via CLI commands. In a large installation, a deployment server (DS) is used. In your case, I would edit inputs.conf to add a UDP stanza for the SIEM. Make sure you're not using a port that's already in use.
Also, if you haven't already defined your mcafeesiem sourcetype on your indexers, be sure to do that before changing the forwarder.