Getting Data In

Local or Domain

Jizbo
New Member

Hi, I've installed Splunk Enterprise on a standalone Win 10 box. I don't have active directory in my home. Installed Splink with Home Monitor as a local user. I want to read the Syslog from my Asus router. However, nothing is showing up in my dashboard. Yes, UDP 514 is allowed on Win 10 Box. Am I doing something wrong?

Tags (1)
0 Karma

Elsurion
Communicator

You are collecting data from the udp port? Just enabling on OS Level is not enough.
Check if you have an entry under Data Inputs -> UDP or check the inputs.conf file in (probably) etc/app/search/local
Entry should look alike:

[udp://514]
connection_host = dns
index = main
sourcetype = syslog

And check it with

index=main sourcetype=syslog

If any event shows up.

When nothing shows up, and you can send testevents from your router, trigger them to check their existents with all-time
If still nothing shows up, check the router log and on the commandline with netstat if the port ist open and a process is listening on it.

0 Karma

Jizbo
New Member

Here's my input.conf file:
[udp://514]disabled = 0
connection_host = IP
sourcetype=syslog
index = homemonitor
disabled = 1

Bandwidth Input for Linux Machines

[script://./bin/speedtest.sh]
interval = 1800.0
source=bandwidth_test
sourcetype = bandwidth_test
disabled = 1

Bandwidth Input for Windows Machines

Enable the Windows input manually, not through the setup.xml page.

[script://$SPLUNK_HOME\etc\apps\homemonitor\bin\speedtest.bat] disabled = 0
interval = 1800.00
source = bandwidth_test
sourcetype = bandwidth_test
disabled = 1

0 Karma

Elsurion
Communicator

Ok remove all disabled = 1 in your inputs.conf, or at least by the [udp://514] input
disabled = 1 > means that this monitor/script is disabled and will be ignored.

also for the test if it will work, use index=main after the check you can use again the index=homemonitor since this index isn't installed by default.

For the rest define always a destination index with index = , that way you will find your data more easely

0 Karma

Jizbo
New Member

"No results found". Bummer, I was hoping this would work. Just to be clear, if I install Splunk as a local user, can I read data sent to it from my router, NAS, etc? I'm batting zero on why I cant get data feeds.

0 Karma

Elsurion
Communicator

As long as this user is able to bind this port yes.

I don't know how Windows keeps track on the used ports but under Linux you'll need to be a higher privileged user to use any port under 1024. I'm using my own set of ports, since my user splunk is not privileged, That i can read normal syslog stuff i'm mapping the port 514 to a high port like 5514.
Most devices are able to use other ports then the 514, just as a side note.

Under Linux you could check if the udp port is listening this way

 netstat -uanc | grep 514

Under Windows it could be this command

netstat -p UDP

Also wireshark is also a valid option 🙂 udp.port == 514 ,there you can drive into the datastream. But you have to be a high priv user, since you have to bind the whole network device.

0 Karma

Jizbo
New Member

I'm at a loss. Any other ideas?

0 Karma

Elsurion
Communicator

Did you try the netstat command i've written?

0 Karma

Jizbo
New Member

Strange,
on my windows box (running splunk) here's the output:

C:\WINDOWS\system32> netstat -p UDP

Active Connections

Proto Local Address Foreign Address State

C:\WINDOWS\system32>

0 Karma

Jizbo
New Member

UDP 0.0.0.0:514 :
UDP 0.0.0.0:3389 :
UDP 0.0.0.0:3702 :
UDP 0.0.0.0:3702 :
UDP 0.0.0.0:5050 :
UDP 0.0.0.0:5353 :
UDP 0.0.0.0:5355 :
UDP 0.0.0.0:65370 :
UDP 127.0.0.1:1900 :
UDP 127.0.0.1:50953 :
UDP 127.0.0.1:55277 :
UDP 192.168.1.100:137 :
UDP 192.168.1.100:138 :
UDP 192.168.1.100:1900 :
UDP 192.168.1.100:50952 :

0 Karma

Jizbo
New Member

On the foreign address of the netstat column, all my UDP ports end with . instead of a domain. Also the state column is empty (not listening or established).

0 Karma

Jizbo
New Member

netstat columns end with "start dot star" (apparently we are not allowed to post the real symbols on this forum)

0 Karma

Jizbo
New Member

Sorry, meant to say "star, colon, star"

0 Karma

Elsurion
Communicator

Is the Output with the many Ports from your System?
At least this one is showing something on the 514 port.
Curious is that you don't get any plain foreign Adress and a State.
Like this one here:

Proto Recv-Q Send-Q Local Address           Foreign Address         State      
udp        0      0 0.0.0.0:5514            0.0.0.0:*         

It is taken by my Linux System.
I assume now that's the format it should be then under Windows, so you're basically open to the whole world with the 0.0.0.0:* (any:5514 from any:any), the any is basically every interface you have in your pc.
And i don't have any active Syslog Input into Splunk> at the moment.

When i just take the netstat -p UDP Output, then it sais that you don't have any connection up and running on the 514

One thing that i could suggest to check if the port is open, is with netcat (dunno if available for Windows)

13:44 elsurion@monsterine ✓ ~ $ nc -v -u -z -w 3 monsterine 4414
13:44 elsurion@monsterine ✓ ~ $ echo $?
1
13:44 elsurion@monsterine ✓ ~ $ nc -v -u -z -w 3 monsterine 5514
Connection to monsterine 5514 port [udp/*] succeeded!
13:44 elsurion@monsterine ✓ ~ $ echo $?
0
13:44 elsurion@monsterine ✓ ~ $ 

When it will work, ok.

When it still don't work, take another port > 1024 for this syslog input if your router supports it. Normaly it should be no problem setting up a listener on 514, but under Windows i don't know.

0 Karma

Jizbo
New Member

Thanks elsurion. Netcat does not work in windows.

0 Karma

dantimola
Communicator

Have you already configured your router to send syslog to your machine?

0 Karma

Jizbo
New Member

Yes, my Asus router is set up to send logs to my Splunk box on UDP 514.

0 Karma

skoelpin
SplunkTrust
SplunkTrust

You should look at the internal Splunk logs for an error

index=_internal sourcetype=splunkd

0 Karma

Jizbo
New Member

No errors showing up. However, it appears all the entries are all from the splunk machine (Win 10 stand-alone box). I don't see any syslog entries coming in from my asus router.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...