PREROUTED 514 traffic not being seen by Splunk

robnewman666 · ‎02-15-2017

I have set up a port redirect using iptables -t nat -A PREROUTING -p UDP -m udp --dport 514 -j REDIRECT --to-ports 5140 and I can see the traffic hitting my em3 port using tcpdump, plus I have set up the port to listen for UDP traffic in Splunk, but nothing shows up within Splunk (indexes etc). I have made this work before using this method, but it isn't today and its bugging me - any ideas why it's not?

TiagoTLD1 · ‎02-15-2017

Hi,

Check index=_internal for the connection from the por you are expecting. If data is really hitting splunk, some message will show up there about it.

Let me know once you have results

robnewman666 · ‎02-15-2017

so i configured an inputs.conf with the following:
[udp://5140]
sourcetype=syslog
connection_host=ip
queueSize = 1MB
persistentQueueSize = 5MB

Now I can see traffic going to port 5140 via index=_internal, but the host is showing as localhost=localdomain, not the ip address I would usually expect.

TiagoTLD1 · ‎02-15-2017

In your inputs.conf you are not specifying any index, so I would check index=main to see if the data is arriving there.

robnewman666 · ‎02-21-2017

Thanks, will try this tomorrow to see if it works.

PREROUTED 514 traffic not being seen by Splunk

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases