This is a little hackish, but it does work with Splunk on linux. You can configure Splunk to listen on a > 1024 port and use Linux's iptables to do port redirection.
For example, configure in inputs.conf: [udp:2514]
And put into your iptables config:
iptables -t nat -A PREROUTING -p udp --dport 514 -j REDIRECT --to-port 2514
The only caveat is that this doesn't work with network traffic sourced at the local machine to port 514 on that same machine. But, this should be an acceptable workaround as most 'local' syslog stuff goes to a file, or through a UNIX domain socket like /dev/log.
If you're lucky enough to be running Solaris, it's not the least hackish. Just start splunk via the SMF and add the net_privaddr privilege to your manifest:
<method_credential group='splunk' limit_privileges=':default' privileges='basic,file_dac_read,net_privaddr' supp_groups=':default' user='splunk'/>
This is a little hackish, but it does work with Splunk on linux. You can configure Splunk to listen on a > 1024 port and use Linux's iptables to do port redirection.
For example, configure in inputs.conf: [udp:2514]
And put into your iptables config:
iptables -t nat -A PREROUTING -p udp --dport 514 -j REDIRECT --to-port 2514
The only caveat is that this doesn't work with network traffic sourced at the local machine to port 514 on that same machine. But, this should be an acceptable workaround as most 'local' syslog stuff goes to a file, or through a UNIX domain socket like /dev/log.