Hello Splunkers,
I have my firewall sending its logs to a CentOS server where I have the Splunk Universal forwarder configured to listen to UDP 514 and forward it to the indexer. Although I have reviewed the configuration I wasn't able to find the reason it is not working.
Note: I have tested the inputs and output.conf and It is working for the files I'm monitoring.
What am I missing here?
Any help would very much be appreciated!
Hi
just check that you have "nmap-ncat-2:7.70-5.el8.x86_64 : Nmap's Netcat replacement" or some other Netcat installed and then this should work.
You could also check if splunk is listening udp 514 port by (as root, w/o you don't see processes)
netstat -napu | egrep splunkd
udp 0 0 0.0.0.0:514 0.0.0.0:* 13866/splunkd
My proposal is that (if possible) change port to something > 1024 and then run splunkd as non root user. And it this is not possible then you must run splunkd as root.
r. Ismo
Yes. I have looked for anything arriving in my test index and nothing has showed up.
Hello,
Something similar was presented to me.
Heavy forwarder via syslog
Firewall type source sent logs to the heavy forwarder but the folders that they should have were not created when the logs arrived.
The configuration was fine, TCP and UDP ports 514 were active, but the logs were not arriving.
One of the discards was to use the snifer tcpdump host x.x.x.x where in my case the snifer confirmed reception of traffic
Finally it was the firewall of the heavy forwarder that was blocking somehow
Hi
it’s possible and normal situation. If you want to listen port 514 then you must run splunkd as root. Better option is use eg. 1514 and run it as normal user.
inputs.conf is something like
Thanks for the reply. I still was not able make it work. Can anyone help with the step by step configuration?
Note: I know how to config in full Splunk Enterprise Installation but to collect it with Universal Forwarder, it is my first time.
Can you post your input.conf so we could see and help you?
Basically what you need to do (w/o deployment server).
On Indexer:
- Add receiving port
splunk enable listen 9997
Then on UF:
- add output(s) if needed you could add several servers or just edit those conf-files and then restart splunk on UF.
splunk add forward-server <your indexer IP>:9997
- check that it's working and sending internal logs
splunk list forward-server
- Add input for UDP (easiest to edit wanted inputs.conf, best to create your own app for that)
[udp://:1514]
connection_host = dns
index = <your index>
sourcetype = <your sourcetype>
<other params which you want to add>
Then do a restart for that UF's splunkd and it should works.
https://docs.splunk.com/Documentation/Splunk/7.3.3/Admin/Inputsconf
r. Ismo
Sure, here it is the Universal Forwarder inputs.conf:
[udp://514]
connection_host = ip
index = test
sourcetype = syslog
disabled = false
Hi
please try
[udp://:514] if you are running splunkd as root otherwise
[udp://:1514] if non root user (cannot bind service to port below 1024!
r. Ismo
I have changed the stanza to [udp://:514] and still did not work.