Solved: Re: Can Universal Forwarder listen to an udp port ... - Page 2

marcos_eng1 · ‎08-24-2020

Hello Splunkers,

I have my firewall sending its logs to a CentOS server where I have the Splunk Universal forwarder configured to listen to UDP 514 and forward it to the indexer. Although I have reviewed the configuration I wasn't able to find the reason it is not working.

Note: I have tested the inputs and output.conf and It is working for the files I'm monitoring.

What am I missing here?

Any help would very much be appreciated!

isoutamo · ‎08-25-2020

Hi

just check that you have "nmap-ncat-2:7.70-5.el8.x86_64 : Nmap's Netcat replacement" or some other Netcat installed and then this should work.

You could also check if splunk is listening udp 514 port by (as root, w/o you don't see processes)

netstat -napu | egrep splunkd
udp   0   0 0.0.0.0:514       0.0.0.0:*               13866/splunkd

My proposal is that (if possible) change port to something > 1024 and then run splunkd as non root user. And it this is not possible then you must run splunkd as root.

r. Ismo

View solution in original post

marcos_eng1 · ‎08-25-2020

Yes. I have looked for anything arriving in my test index and nothing has showed up.

splunkcol · ‎08-25-2020

Hello,

Something similar was presented to me.

Heavy forwarder via syslog

Firewall type source sent logs to the heavy forwarder but the folders that they should have were not created when the logs arrived.

The configuration was fine, TCP and UDP ports 514 were active, but the logs were not arriving.

One of the discards was to use the snifer tcpdump host x.x.x.x where in my case the snifer confirmed reception of traffic

Finally it was the firewall of the heavy forwarder that was blocking somehow

isoutamo · ‎08-24-2020

Hi

it’s possible and normal situation. If you want to listen port 514 then you must run splunkd as root. Better option is use eg. 1514 and run it as normal user.
inputs.conf is something like

https://community.splunk.com/t5/Getting-Data-In/How-to-configure-different-sourcetypes-for-udp-port-...
r. Ismo

marcos_eng1 · ‎08-25-2020

Thanks for the reply. I still was not able make it work. Can anyone help with the step by step configuration?

Note: I know how to config in full Splunk Enterprise Installation but to collect it with Universal Forwarder, it is my first time.

isoutamo · ‎08-25-2020

Can you post your input.conf so we could see and help you?

Basically what you need to do (w/o deployment server).

On Indexer:

- Add receiving port

splunk enable listen 9997

Then on UF:

- add output(s) if needed you could add several servers or just edit those conf-files and then restart splunk on UF.

splunk add forward-server <your indexer IP>:9997

- check that it's working and sending internal logs

splunk list forward-server

- Add input for UDP (easiest to edit wanted inputs.conf, best to create your own app for that)

[udp://:1514]
connection_host = dns
index = <your index>
sourcetype = <your sourcetype>
<other params which you want to add>

Then do a restart for that UF's splunkd and it should works.

https://docs.splunk.com/Documentation/Splunk/7.3.3/Admin/Inputsconf

r. Ismo

marcos_eng1 · ‎08-25-2020

Sure, here it is the Universal Forwarder inputs.conf:

[udp://514]

connection_host = ip

index = test

sourcetype = syslog

disabled = false

isoutamo · ‎08-25-2020

Hi

please try

[udp://:514] if you are running splunkd as root otherwise

[udp://:1514] if non root user (cannot bind service to port below 1024!

r. Ismo

marcos_eng1 · ‎08-25-2020

I have changed the stanza to [udp://:514] and still did not work.

Can Universal Forwarder listen to an UDP port and forward to the indexer?

indexer

other

universal forwarder

Introducing the Splunk Community Dashboard Challenge!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Wondering How to Build Resiliency in the Cloud?