Getting Data In

Syslog from Cisco ASA directly into SPLUNK on Ubuntu 12.04 64bit Server

jsmander
Explorer

Hi all

Let me preface this with. I am new to SPLUNK - I installed it 2 hours ago & I think it's great.
I have tried to find the answers from the docs and other posts, but can't find something that will make it work.

SETUP:
SPLUNK 4.3.4 installed on Ubuntu 12.04 64 bit Server. Installed using tgz not deb file.
Installed as user to /home/john/opt not as sudo to /opt

SUCCESS:
Have added Data Source from local folder /var/log & this works great SPLUNK has indexed it and made it searchable

NEXT STEP:

To add my Cisco ASA as a data source. Now I've tried Add > Data Input > UDP > 514 ... but I get the error message "Encountered the following error while trying to save: In handler 'udp': Parameter name: UDP port 514 is not available"

Running netstat -tuna on the Ubuntu Server confirms UDP/514 is not listening. I wanted the SPLUNK server to open that port and "manage" it. I want to keep things as simple as possible and not install another syslog server and then forward onto SPLUNK. What is the most simple solution? Any guides or links much appreciated.

Thanks,
JSM

DETAILED Cisco Commands applied to ASA:

logging enable

logging buffer-size 16096

logging buffered warnings

logging trap notifications

logging history notifications

logging asdm warnings

logging host inside monitoring

NB "monitoring" is my SPLUNK Server 192.168.1.48

This means my Cisco ASA is sending Syslog messages to the Ubuntu Server.

1 Solution

dwaddle
SplunkTrust
SplunkTrust

Are you running Splunk as root? If not, you can't listen on ports < 1024. You could make Splunk like on something like 5140 and tell the ASA to use that UDP port instead.

Also, ubuntu has an iptables-based firewall by default. You'll need to poke the necessary holes for the UDP data to flow.

View solution in original post

bmacias84
Champion

Question, was that server already in uses?

Two thoughts: First tje most likely reason for the error is an application on that server already uses that port on the splunk host. Second it could be a permission issue, try starting splunk using sudo ./splunk start. If that works you have a permission issue with accessing priivleged ports.

Note: If you installed Splunk with a non-root user on Linux typically you cant listen to port below 1024.

Suggestions if permission issue:

  1. Try using iptables as a work around.
  2. Give Splunk splunk user root rights
  3. Use setcap setcap CAP_NET_BIND_SERVICE or authbind
  4. Change you ASA syslog port for Splunk to a higher port like 5447


#for setcap
setcap 'cap_net_bind_service=+ep' /opt/splunk/bin/splunk
#not sure of syntax for authbind.

Other docs:
Ubuntu authbind manpage
Linux Capabilities manpage
Stack overflow non-root access privileged ports

dwaddle
SplunkTrust
SplunkTrust

The capabilities thing looks totally boss. Need to look into this further. Thanks for the info!

0 Karma

dwaddle
SplunkTrust
SplunkTrust

Are you running Splunk as root? If not, you can't listen on ports < 1024. You could make Splunk like on something like 5140 and tell the ASA to use that UDP port instead.

Also, ubuntu has an iptables-based firewall by default. You'll need to poke the necessary holes for the UDP data to flow.

jsmander
Explorer

Hi. I used the following commands to forward UDP 514 to UDP 5140 & Setup SPLUNK to collect data on 5140. It worked great. Thanks
sudo iptables -t nat -I PREROUTING --src 0/0 --dst 192.168.1.48 -p udp --dport 514 -j REDIRECT --to-ports 5140

0 Karma

kristian_kolb
Ultra Champion

and if you have weird/old appliances where you cannot use a port other than 514, you could set up local port forwarding from 514 to your chosen high port.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...