All Apps and Add-ons

Pi-hole DNS App for Splunk: Why are we getting error "no route to host" when sending logs from pi-hole to Splunk with a UF?

johnny21
Path Finder

I am attempting to send DNS logs from pi-hole to Splunk, I have the Universal forwarder installed on the Pihole and when I attempt to start Splunk on the UF I get the following error.
I confirmed that the Splunk host is listening on TCP 5353 for that connection and can ping the host from the pi-hole.
Any ideas on what I am missing?

05-29-2019 12:40:42.231 -0400 WARN  TcpOutputFd - Connect to 10.0.155.157:5353 failed. No route to host
05-29-2019 12:40:42.231 -0400 ERROR TcpOutputFd - Connection to host=10.0.155.157:5353 failed
05-29-2019 12:40:42.232 -0400 WARN  TcpOutputFd - Connect to 10.0.155.157:5353 failed. No route to host
05-29-2019 12:40:42.232 -0400 ERROR TcpOutputFd - Connection to host=10.0.155.157:5353 failed

root@raspberrypi:/opt/splunkforwarder/etc/system/local# ping 10.0.155.157
PING 10.0.155.157 (10.0.155.157) 56(84) bytes of data.
64 bytes from 10.0.155.157: icmp_seq=1 ttl=64 time=0.564 ms
64 bytes from 10.0.155.157: icmp_seq=2 ttl=64 time=0.530 ms
64 bytes from 10.0.155.157: icmp_seq=3 ttl=64 time=0.532 ms

alt text

Here are the config files on my pi-hole:

inputs.conf

root@raspberrypi:/opt/splunkforwarder/etc/system/local# cat inputs.conf 
[default]
host = raspberrypi
[monitor:///var/log/pihole.log]
index = pihole
sourcetype = dnsmasq
disabled = false

outputs.conf

root@raspberrypi:/opt/splunkforwarder/etc/system/local# cat outputs.conf 
[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = 10.0.155.157:5353

[tcpout-server://10.0.155.157:5353]

props.conf

root@raspberrypi:/opt/splunkforwarder/etc/system/local# cat props.conf 
[dnsmasq]
NO_BINARY_CHECK = true
DATETIME_CONFIG = 
TIME_FORMAT = %b %d %H:%M:%S
MAX_TIMESTAMP_LOOKAHEAD = 24
0 Karma

johnny21
Path Finder

It was the host based FW blocking the connection.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...