How to do it...

Follow these steps to configure Splunk to receive network UDP data:

  1. Log in to your Splunk server.
  2. From the menu in the top right-hand corner, click on the Settings menu and then click on the Add Data link.
  3. If you are prompted to take a quick tour, click on Skip.
  4. In the How do you want to add data section, click on Monitor.
  1. Click on the TCP / UDP section:
  2. Ensure the UDP option is selected and in the Port section, enter 514. On Unix/Linux, Splunk must be running as root to access privileged ports such as 514. An alternative would be to specify a higher port, such as port 1514, or route data from 514 to another port using routing rules in iptables. Then, click on Next:
  1. In the Source type section, select Select and then select syslog from the Select Source Type drop-down list and click Review:
  2. Review the settings and if everything is correct, click Submit.
  3. If everything was successful, you should see a UDP input has been created successfully message:
  4. Click on the Start Searching button. The Search & Reporting app will open with the search already populated based on the settings supplied earlier in the recipe. Splunk is now configured to listen on UDP port 514. Any data sent to this port now will be assigned the syslog source type. To search for the syslog source type, you can run the following search:
source="udp:514" sourcetype="syslog"

Understandably, you will not see any data unless you happen to be sending data to your Splunk server IP on UDP port 514.

上一章目录下一章