I am not very network savvy. Trying to get my home router to syslog to Splunk to look at connection info in the Home Monitor app.
I can see events in the bandwidth_test sourcetype, so I know that I have the app running .
If I go to settings|Data inputs|UDP, I can see UDP port 514 enabled with source type RT-N66U
And in Windows Firewall, I can see that I have created an inbound rule called Splunk Syslog, which allows local port UDP 514, and remote port: all ports
On my RT-N66U router I have set remote log server to my Splunk install's IP address.
But in app, I see no logs and in the search app, I do not see events from syslog or RT-N66U or asus.
I tried running netstat -p UDP, that returns nothing. netstat -p TCP does return a lot of high ports and 8000, 8191 (I think these are the Splunk app)
Any clues/advise on what I am missing?
It seems like your router is not sending the appropriate data which can be used in the app. Make sure to enable the firewall feature (if applicable) to send the data required for the app to work.
Did you ever get this figured out? I'm having the exact same problem.
UDP packets should arrive at your windows box regardless of whether splunk is listening (if not, they will just get dropped). I'd suggest using a tool like wireshark to capture incoming network traffic, to confirm whether there is any incoming syslog traffic on UDP 514.
If so, the issue seems to be on Splunk side. If not, the issue is with your syslog source (or something in between your source and your splunk box).
Thanks, FrankVI. I downloaded Wireshark, filtered port UDP 514, turned on my Router VPN just to create some Syslog data and wireshark went crazy with tons of packets showing up on UDP 514 (on my WIn 10 Box which runs Splunk). So I know for certain the info is being sent from router to Splunk server box. The problem now is Splunk displays nothing. We can rule out the router sending the syslog...it is. Something is wrong with the Splunk settings on my Win 10 Box. I am really batting zero on this one.
Any errors in splunkd.log about this input? Any sign of life in metrics.log for this input/sourcetype?
How are you searching for the data? Perhaps check for "All Time" in case some timestamping issue puts the events in the future or something.
attempted to send you some log outputs, but it appears moderator is holding them up. Not sure why.
From Splunkd.log: 02-19-2018 08:23:29.628 -0500 WARN HttpListener - Connection from 127.0.0.1 didn't send us any data, disconnecting
Let's see if this makes it past the moderator.
HttpListener doesn't sound very relevant...
Not sure what else to do. Router is sending syslog to win 10 box (confirmed with wireshark). Splunk just sits there doing nothing. It's probably something simple, but I can't imagine what it would be.
Kam mentioned something about Splunk may not be authorized (admin) to receive on UDP 514. However, I have Splunk installed as admin.
My assumption is that Windows is not listening on port 514 or 1514 since Splunk is not authorized to open the ports. I’m going to play with my windows 10 Vm and try to get it to work.
https://github.com/amiracle/homemonitor/wiki/Windows-10-and-Splunk-Enabling-syslog-UDP-514
I tested this on a Windows 10 Pro box in my Oracle Virtual Box setup, it worked.
I setup a page that walks through setting up Splunk with the firewall. Can you tell me your Windows 10 version (Pro, S, EDU etc.)? Also, can you run "netstat -an" and see if UDP 0.0.0.0:514 * shows up?
Kam, apologies if this shows up twice. Whenever I send log outputs, it never gets posted.
I'm running a Toshiba Laptop i3 processor 8GB RAM with Win 10 Pro. I run it headless and remote into it via RDP. It only runs 2 Applications: A Minecraft Server (which runs fine) and Splunk (which doesn't run at all). I do have UDP 514 and 1514, as well as the Splunk App, allowed through the Win 10 Firewall (No third party firewall).
Yes, running netstat -an outputs following; UDP 0.0.0.0:514 .
Hope this helps. Thanks for your help.
Also, Minecraft uses Port 25565, so it shouldn't interfere with Splunk.
running netstat -an outputs following; UDP 0.0.0.0:514 .
Wierd, I can't post the star dot star after 514, but it's there.
Thought I'd send you my transforms config just in case you see something wrong:
[R7000]
REGEX = R7000
SOURCE_KEY = MetaData:Host
FORMAT = sourcetype::asus
DEST_KEY = MetaData:Sourcetype
It looks like you have :
1) Splunk accepting data on port 514
(Splunk search to make sure it's working, index=_internal sourcetype=splunkd udpin_connections*
will show you that Splunk is listening and the metrics of the data flowing in on port 514.
2) Windows firewall allowing UDP 514 into your Splunk box.
3) What does index=homemonitor | stats count by sourcetype
show you?
If you are seeing sourcetype=syslog in your homemonitor index, then it's a simple transforms issue we can fix. Otherwise, if you have no other syslog data coming into your Windows box, just make the default sourcetype for UDP:514 be asus
.
I get lots of data using udpin_connections:
2/19/18
9:56:17.103 PM
02-19-2018 21:56:17.103 -0500 INFO Metrics - group=udpin_connections, *:514, sourcePort=514, _udp_bps=0.00, _udp_kbps=0.00, _udp_avg_thruput=0.00, _udp_kprocessed=0.00, _udp_eps=0.00
host = Minecraft source = C:\Program Files\Splunk\var\log\splunk\metrics.log sourcetype = splunk
When I run index=homemonitor I get:
"asus" and it shows count 10 at end of line.
Are those metrics logs always showing 0 bps/eps etc.?
Thanks. I'm running Win 10 Pro on a Toshiba Laptop with an i3 processor and 8G RAM.
Netstat - an shows this:
UDP 0.0.0.0:514 :
UDP 0.0.0.0:1514 :
From metrics.log: 02-19-2018 10:20:20.097 -0500 INFO Metrics - group=udpin_connections, *:514, sourcePort=514, _udp_bps=0.00, _udp_kbps=0.00, _udp_avg_thruput=0.00, _udp_kprocessed=0.00, _udp_eps=0.00
metrics log shows ports 514 and 1514 doing something. Just not sure what:
02-19-2018 08:33:54.108 -0500 INFO Metrics - group=thruput, name=syslog_output, instantaneous_kbps=0, instantaneous_eps=0, average_kbps=0, total_k_processed=0, kb=0, ev=0
02-19-2018 08:33:54.108 -0500 INFO Metrics - group=thruput, name=thruput, instantaneous_kbps=1.0661555096603041, instantaneous_eps=3.740613659602126, average_kbps=1.0583531226077707, total_k_processed=128644, kb=33.0625, ev=116
02-19-2018 08:33:54.108 -0500 INFO Metrics - group=udpin_connections, *:1514, sourcePort=1514, _udp_bps=0.00, _udp_kbps=0.00, _udp_avg_thruput=0.00, _udp_kprocessed=0.00, _udp_eps=0.00
02-19-2018 08:33:54.108 -0500 INFO Metrics - group=udpin_connections, *:514, sourcePort=514, _udp_bps=0.00, _udp_kbps=0.00, _udp_avg_thruput=0.00, _udp_kprocessed=0.00, _udp_eps=0.00