Hi all
Let me preface this with. I am new to SPLUNK - I installed it 2 hours ago & I think it's great.
I have tried to find the answers from the docs and other posts, but can't find something that will make it work.
SETUP:
SPLUNK 4.3.4 installed on Ubuntu 12.04 64 bit Server. Installed using tgz not deb file.
Installed as user to /home/john/opt not as sudo to /opt
SUCCESS:
Have added Data Source from local folder /var/log & this works great SPLUNK has indexed it and made it searchable
NEXT STEP:
To add my Cisco ASA as a data source. Now I've tried Add > Data Input > UDP > 514 ... but I get the error message "Encountered the following error while trying to save: In handler 'udp': Parameter name: UDP port 514 is not available"
Running netstat -tuna on the Ubuntu Server confirms UDP/514 is not listening. I wanted the SPLUNK server to open that port and "manage" it. I want to keep things as simple as possible and not install another syslog server and then forward onto SPLUNK. What is the most simple solution? Any guides or links much appreciated.
Thanks,
JSM
DETAILED Cisco Commands applied to ASA:
logging enable
logging buffer-size 16096
logging buffered warnings
logging trap notifications
logging history notifications
logging asdm warnings
logging host inside monitoring
NB "monitoring" is my SPLUNK Server 192.168.1.48
This means my Cisco ASA is sending Syslog messages to the Ubuntu Server.
... View more