Hi,
i'm using Splunk Cloud edition. I've set up the forwarders in a new Windows 2012 R2 freshly installed.
So, when I try to set a new (first one) data source, i receive the error "UDP port 514 is not available" . But, the server doesn't have any syslog installed.
thanks.
The storage of syslog information, or, in other words, a log administration and accessibility point of view. Since the information is being logged locally, a Splunk all inclusive forwarder can be introduced on the Syslog authority and forward the information to Splunk indexers. Install Syslog in your laptop without facing Error Code 0xc0000185 and send Syslog data to a server (or servers) functioning.
If you are sure there is no other process already using that port it is probably a firewall or permissions issue that prevents the Splunk process from using that port.
Any particular reason why you are running your forwarders on Windows? Especially for syslog data, it is usually recommended to use a linux server, with a syslog daemon on it that receives the data, writes it to disk and then install a forwarder on that same box to read those syslog files and send them to your indexer(s).
ok, but, if Splunk tells that a syslog is possible to have on a Windows so, i don't know why i need to switch to linux.. is it better if they say that they have problems with the forwarders on Windows .
Marco
I'm not saying it is not possible, just that it is not the typically recommended way of doing things.
It should definitely be possible to get your windows hosted forwarder listening on port 514. You just need to figure out why it is being blocked and then fix that. If you are sure that it is not another process that is listening on that port already, my guess is windows firewall or some permissions issue.
I personally haven't seen this error before, so I don't have more concrete suggestions for fixing it (although I do vaguely recall reading about this sort of issue before here on Answers).
@infosoftcomet since you have forwarder installed on windows box why don't you push a inputs.conf to monitor log files? In the main question you didn't mention that you are wanting to send syslog messages. Please provide somemore information. If you wanna send syslog messages directly to syslog-ng servers or indexers you don't have to install splunk agent on your windows box. Destination should have port opened to listen on that.