Deployment Architecture

UPD listening is not receiving events on one of my Universal Forwarders.

donaldwayne1975
Path Finder

UDP listening is not working on one of my UF's. Have PCAPs confirming the events are successfully making it from the expected source to the system with the UF installed on it. So it is not the sending device and the local firewall on the UF system. Below is the error showing in splunkd log:

12-06-2019 18:02:26.913 +0100 ERROR UDPInputProcessor - Error binding to socket in UDPInputProcessor: The operation completed successfully.

Maybe the account the Splunk Universal Forwarder service is running as does not have the right privileges on the system???

Labels (1)
0 Karma
1 Solution

arjunpkishore5
Motivator

I would guess there is a port conflict. Have you tried changing the port number to something else for your UDP input?

If your UF is on a Linux system, use the following to confirm if the port is being used by another process - https://www.tecmint.com/find-out-which-process-listening-on-a-particular-port/

For windows, use this - https://stackoverflow.com/questions/48198/how-can-you-find-out-which-process-is-listening-on-a-port-...

Please also refer to this post which was answered by @martin_mueller - https://answers.splunk.com/answers/145270/problems-creating-an-udp-input-error-binding-to-socket-in-...

View solution in original post

arjunpkishore5
Motivator

I would guess there is a port conflict. Have you tried changing the port number to something else for your UDP input?

If your UF is on a Linux system, use the following to confirm if the port is being used by another process - https://www.tecmint.com/find-out-which-process-listening-on-a-particular-port/

For windows, use this - https://stackoverflow.com/questions/48198/how-can-you-find-out-which-process-is-listening-on-a-port-...

Please also refer to this post which was answered by @martin_mueller - https://answers.splunk.com/answers/145270/problems-creating-an-udp-input-error-binding-to-socket-in-...

donaldwayne1975
Path Finder

Device owner had another application syslog application running and receiving the events. did not communicate this to me until later. configured Splunk to read log files written by their syslog tool. Communication is key!

0 Karma

starcher
SplunkTrust
SplunkTrust

Best practice for syslog is use a syslog server. Then use a UF to pickup the log files it writes.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...