I was noticing something similar in setting up our filer to connect to SPLUNK. You may want to check what user SPLUNK is running as. I have it running as splunk, so it cannot bind to 514/UDP. I have to use a IPTABLES forwarding rule to forward from 514 to a port that SPLUNK is allowed to bind to:
Sample from /etc/sysconfig/iptables
-A PREROUTING -p udp -m udp --dport 514 -j REDIRECT --to-ports 5447
Then Splunk is actually setup to listen on 5447
BTW - On the NETAPP, I was able to use
. @IP_ADDRESS
(make sure the spaces are actually a tab. apparently can be can issue)
Cheers
... View more