Solved: How to add multiple firewall to splunk

jibin1988 · ‎12-06-2017

Hi Splunkers,

I am configuring splunk as syslog server. I want to add 3 to 4 firewalls, But i am unable to add to port 514. Its throwing error "Parameter name: UDP port 514 is not available". I already added port 514 to one firewall. I want to add next firewall. How can i add that? Syslogs will listen to port 514 . Kindly help.

harsmarvania57 · ‎12-06-2017

Hi @jibin1988,

If I am understanding your question correctly, you want to send data from your firewall to splunk on UDP 514 port?

If so then first you need to configure your splunk instance which will listen on UDP 514 port, please refer http://docs.splunk.com/Documentation/Splunk/7.0.1/Data/Monitornetworkports to configure this (There is limitation in Linux that if you are running splunk on linux box with user othan than root which is best practice then you can't configure UDP 514 port because in linux only root user can occupy port below 1024.)

Then configure your firewall to send data to splunk instance on configured UDP port.

View solution in original post

nickhills · ‎12-06-2017

I'm reading the question as:

You have added one firewall input on port 514 - and you want to add another?

By default you can only configure one input per udp port, so if you want to add different input, you will need to use a different port such as 515, 516 etc - although see above for a method which allows you to restrict by remote host

If my comment helps, please give it a thumbs up!

jibin1988 · ‎12-06-2017

Hi Nickhillscpl,

Thank you brother. I am in a sort of mindset that syslogs can only use 514 as port. Now i got it.
Thank you.
:)

nickhills · ‎12-06-2017

No, you should be able (in most systems) to use any UDP port.
In some cases, as @harsmarvania57 notes, Splunk may not be running as root, and so you would have to pick higher port numbers: eg 5514. 5515 etc.
We do this as a matter of course, as we don't use root!

If my comment helps, please give it a thumbs up!

harsmarvania57 · ‎12-06-2017

Hi @jibin1988,

If I am understanding your question correctly, you want to send data from your firewall to splunk on UDP 514 port?

If so then first you need to configure your splunk instance which will listen on UDP 514 port, please refer http://docs.splunk.com/Documentation/Splunk/7.0.1/Data/Monitornetworkports to configure this (There is limitation in Linux that if you are running splunk on linux box with user othan than root which is best practice then you can't configure UDP 514 port because in linux only root user can occupy port below 1024.)

Then configure your firewall to send data to splunk instance on configured UDP port.

jibin1988 · ‎12-06-2017

Hi,

Thank you for ur reply. U are right. I want to sent my data from my firewall to splunk on UDP port 514. I already did with one firewall. Now i want to sent data from my another firewall to splunk on UDP port 514. How can i do that? That is my question. I want to add 4 more firewalls, to sent syslogs to splunk 514 port. I am following that same link but i am unable to add the second firewall. I am getting error "Parameter name: UDP port 514 is not available".

harsmarvania57 · ‎12-06-2017

I think your have configured something like this

[udp://<remote server>:<port>]
<attrbute1> = <val1>
<attrbute2> = <val2>

This setting will restrict and accept data from only one node(firewall)
If you specify nothing for <remote server> - [udp://<port>] - the port accepts data sent from any host.
And then just configure your 2nd,3rd and 4th firewall to send data to same splunk server on 514 port.

jibin1988 · ‎12-06-2017

I configured in GUI. Not by editing input.conf. I tried it with different port 515, 516 etc. Its accepting. Thank you for support. 🙂

harsmarvania57 · ‎12-06-2017

That's great then you can accept @nickhillscpl answer but for hundreds of firewalls it will be complicated to configure so many ports so in that case I'll suggest to run only single UDP port.

jibin1988 · ‎12-06-2017

This is what i am looking for. I dont want to add many ports. I want to run all the syslogs for only port 514. For that u mean to say i have to edit input.conf file? Can you please give an example? My input.conf is something like this :

[udp://xxx.xxx.xx.x:514]
connection_host = ip
sourcetype = syslog

harsmarvania57 · ‎12-06-2017

Your inputs.conf will be like this

[udp://514]
connection_host = ip
source = syslog
sourcetype = syslog

After changing configuration file you need to restart splunk.

EDIT: You can remove source from configuration file, in that case default source will be host:port

jibin1988 · ‎12-06-2017

I am confused again,Which ip it will take if we give :

[udp://514]
connection_host = ip
source = syslog
sourcetype = syslog

again if i want to add 2nd firewall, i have to add the same above texts again?

harsmarvania57 · ‎12-06-2017

You just need to add that configuration only once in splunk server. After that provide your splunk server IP and UDP port in your different firewall so that your firewall will push data to splunk server over UDP 514 port.

jibin1988 · ‎12-06-2017

harsmarvania57,

Kudos 🙂 .... Thats great. I got it now. This is what i was looking for. Thank you bro. (Y)

harsmarvania57 · ‎12-06-2017

Glad to hear you, I have converted my comment to answers please accept it and upvote it.

How to add multiple firewall to splunk

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk