Getting Data In

How to confirm a udp input is running?

a212830
Champion

Hi,

I'm having issues with what should be a very basic setup. I have an appliance sending syslog messages to a heavy forwarder, on port 514, using UDP. I've verified that the events are coming in via tcpdump. My inputs is setup to listen on port 514, and nothing else is listening on it, but the events are not appearing in the indexer. I've checked for all-time, and recent time, and manually send some events via netcat. I do not see anything in the logs indicating that splunk is even listening for this data. Should some message appear somewhere, indicating that it's listening on port 514, similar to how it shows what logs are being watched? The HFW can talk to the indexer, as internal events are appearing.

Inputs:

[udp://514]
connection_host = dns
index = main
sourcetype=syslog 
disabled = no
queueSize = 1KB
0 Karma
1 Solution

mattymo
Splunk Employee
Splunk Employee

is this HF on Centos or RHEL?? firewalld/iptables all good? also 514 is privileged, is Splunk root? might have to dance around that a bit

firewall-cmd --list-all

firewall-cmd --permanent --zone=public --add-port=514/udp

systemctl restart firewalld.service

- MattyMo

View solution in original post

mattymo
Splunk Employee
Splunk Employee

is this HF on Centos or RHEL?? firewalld/iptables all good? also 514 is privileged, is Splunk root? might have to dance around that a bit

firewall-cmd --list-all

firewall-cmd --permanent --zone=public --add-port=514/udp

systemctl restart firewalld.service

- MattyMo

sloshburch
Splunk Employee
Splunk Employee

ahem: Worst Practices...and How to Fix Them
Start at 3min in.

You know I'm always willing to give a good hassle to ya! 😉

0 Karma

mattymo
Splunk Employee
Splunk Employee

no doubt! @a212830, now that we got ya up and running, you will want to explore items like, not running splunk as root, using syslog receivers like rsyslog or syslog-ng to put data to disk and pick it up with a UF or check out options for scale using HEC!

http://conf.splunk.com/sessions/2017-sessions.html#search=HEC%20with%20syslog&

- MattyMo
0 Karma

a212830
Champion

Indeed! Actually, this isn't mine... a friend in another group was trying to get his data into a different BU's Splunk, and they weren't able to get it done, so he tried it, and I finished it for him. He's been advised not to run as root...

0 Karma

a212830
Champion

running as root. RH7.

0 Karma

mattymo
Splunk Employee
Splunk Employee

did you create a rule in firewalld for udp 514?

- MattyMo
0 Karma

a212830
Champion

It's udp, and I see the events coming in via tcpdump.

0 Karma

mattymo
Splunk Employee
Splunk Employee

oops. updated. tcpdump is a good start but sees the packers before they are dropped.

- MattyMo
0 Karma

a212830
Champion

But, yes, you are right. Firewalld is the culprit. Apparently it's enabled by default on RH7, but no RH6.

Thanks!

0 Karma

mattymo
Splunk Employee
Splunk Employee

nice! will update the answer with the command, was about to post it

- MattyMo
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...