I have an ASA firewall sending data to my splunk server (syslog port 514). When I run tcpdump...
I get data dumped. It looks like...
11:15:53.627144 IP 172.28.8.234.syslog > 172.28.60.163.syslog: SYSLOG local4.info, length: 145
11:15:53.628353 IP 172.28.8.234.syslog > 172.28.60.163.syslog: SYSLOG local4.info, length: 146
11:15:53.629599 IP 172.28.8.234.syslog > 172.28.60.163.syslog: SYSLOG local4.info, length: 181
But when I search splunk for the ip 172.28.8.234, I get jack squat. What are some reasons splunk would not be logging this data? Splunk is listening on UDP port 514...
~# nmap -sU localhost
Starting Nmap 5.00 ( http://nmap.org ) at 2013-05-03 11:20 EDT
Warning: Hostname localhost resolves to 2 IPs. Using 127.0.0.1.
Interesting ports on localhost (127.0.0.1):
Not shown: 998 closed ports
PORT STATE SERVICE
123/udp open|filtered ntp
514/udp open|filtered syslog
check this answer to see if it applies to your case:
check this answer to see if it applies to your case:
Excellent. Thanks very much.
Also the data with sourcetype 'syslog' gets its host value from the host value specified in the events, which is not necessarily the same as the IP address of the host the events were received from.