Im testing out Splunk for my home network and I'm running into an issue. I have configured my home router (Ubiquiti Dream Machine) to forward syslog to my virtual instance of Splunk.
I have reconfigured the default udp port 514 to udp port 1514. I can confirm that the VM is receiving the logs via Wireshark. I feel like its something small, but I can't figure it out. I used the "Data Inputs" wizard to capture the data. Any help here would be greatly appreciated.
Wireshark captures before the firewall. Could be a host based firewall on the splunk machine blocking it. Also: have you confirmed splunk indeed started listening on that port? If you've already ruled both of those out, check your splunkd.log for any related errors or warnings. Also: try searching over all time, to rule out misconfigured timestamp extraction / timezone setting.
It was the host FW. Its always something small. Thanks
Wireshark captures before the firewall. Could be a host based firewall on the splunk machine blocking it. Also: have you confirmed splunk indeed started listening on that port? If you've already ruled both of those out, check your splunkd.log for any related errors or warnings. Also: try searching over all time, to rule out misconfigured timestamp extraction / timezone setting.