Getting Data In

TCP requirement for syslog transfer

jibin1988
Path Finder

Syslogs are sent on UDP port 514 towards Syslog-ng

But we have experienced if tcp for port 514 is not working/not open, syslogs are not transferred

As soon tcp is fixed, syslogs start transferring and validation is successful !

Can someone explain why it is like this/how this works?

0 Karma

bandit
Motivator

You can can use netcat (nc) command to test sending messages to either TCP or UDP 514 or other ports on the Linux command line.

Example commands (replace localhost with your ip or fqdn) if not testing directly on the same server which hosts the syslog service.

udp test to localhost

echo -n "<14>mytesthost This is a syslog ***UDP 514*** Test" | nc -u -w5 -v localhost 514

tcp test to localhost

echo -n "<14>mytesthost This is a syslog ***TCP 514*** Test" | nc -w5 -v localhost 514

I also like this free testing tool for Windows (Essential NetTools) https://www.tamos.com/download/main/
alt text

0 Karma

jibin1988
Path Finder

Hi Rob,

I did that and we found udp port is open and tcp is closed using nc command.

nc -vz 514 ---- Its connection time out
nc - vzu 514 ---- Its succeeded!!

So after this we opend tcp port as well and the logs started reporting.

0 Karma

nickhills
Ultra Champion

Right - but you are testing what RECEIVING ports are open - My comment is are you SURE you known what protocol syslog is being SENT on.

tcpdump the sending machine and see what traffic is being sent on 514.

If my comment helps, please give it a thumbs up!
0 Karma

gfreitas
Builder

Maybe you have a Load Balancer that health checks if TCP is working and if not it doesn't load balance the syslog traffic?

0 Karma

jibin1988
Path Finder

Thanks @gfreitas for your input.

Yes we do have a LB in between, But how can we confirm that?

0 Karma

gfreitas
Builder

I would say you need to check with whoever configured the LB.
In general you can use tcpdump to monitor your syslog server and check for any packets arriving from the Load Balancer IPs on port 514 TCP. This might give you a confirmation that the LB is health checking the syslog server and therefore understanding it as down if no TCP connection is stablished.

0 Karma

nickhills
Ultra Champion

Syslog can be either TCP or UDP - are you sure that in your case that syslog was not using TCP transport instead of UDP?

If my comment helps, please give it a thumbs up!
0 Karma

isoutamo
SplunkTrust
SplunkTrust

Have you config of sending syslog client? Definitely it sounds like it sends events over tcp instead of udp.

R. Ismo

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @jibin1988,
are you sure about this?
I have experienced many times that opening only UDP port (enabling UDP network input), syslogs arrive.

Another question, you speak about syslog-ng, but are you receiving syslogs using syslog-ng or Splunk input?

Ciao.
Giuseppe

0 Karma

jibin1988
Path Finder

Hi Giuseppe ,

We have experienced this situation, Already UDP port 514 was open and still device was not reporting. after troubleshooting for long hours we opened TCP port and device started sending logs.

And yes we are using syslog-ng for collecting the logs not Splunk input.

Regards,
Jibin

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @jibin1988,
in this case I'm not able to support you, you need a network expert not a Splunk expert!
At the same time, I hint to try the Splunk network inputs, I'm very satisfied!

Ciaoand next time.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...