Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Running rsyslog and Splunk Enterprise on the same machine

jkamdar
Path Finder
3 weeks ago

Hi, I have a small lab (air gapped) with about 2 Linux servers  not including the Splunk server and 25 Windows machine.

 

I have deployed Splunk and ingesting logs from all Linux and Windows clients and also from network switch, VMWare server and hosts.

 

I am able to send logs from network switch and VMWare hosts directly into Splunk using using "Data Inputs->TCP" and by picking different ports for each service but for Cisco UCS Chassis, to send logs, I can't configure other than syslog server name and log level. 

So I setup a rsyslog server on the same machine as Splunk Enterprise. It seems to be running but I don't logs from Cisco UCS. I have check firewall rules as well and all seems to be configured properly. 

Any tips about running rsyslog and Splunk server on the same machine and about sending Cisco UCS logs to rsyslog/splunk would be appreciated. 

Unfortunately, I can't provide much info as this is an air gapped lab. 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jkamdar
Path Finder
2 weeks ago

Just wanted to report, the problem has been solved. Everything remained same, I just restarted rsyslog and I started seeing logs on the rsyslog server; when in doubt, reboot seemed to have worked here 🙂

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

jkamdar
Path Finder
2 weeks ago

Just wanted to report, the problem has been solved. Everything remained same, I just restarted rsyslog and I started seeing logs on the rsyslog server; when in doubt, reboot seemed to have worked here 🙂

0 Karma
Reply
Solved! Jump to solution

jkamdar
Path Finder
2 weeks ago

@PickleRick thanks for your response. Yes, it's configured properly but tcpdump showed nothing coming to port 514. It seems the problem might be on the UCS side. As someone on the Cisco community suggested, tried to run on UCS side "ethanalyzer local interface mgmt capture-filter "port 514" limit-captured-frames 0 detail" but looks like it's not generating any traffic to send out port 514 on UCS itself and hence no data on the rsyso

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
3 weeks ago

There is absolutely no problem with running rsyslog on the same box as splunk provided that you're not trying to bind the same port(s) to both programs.

Have you configured rsyslog to receive network data on proper ports? Did you verify it is listening? Did you check with tcpdump/wireshark whether UCS is sending data?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...

Splunk App Dev Community Updates – What’s New and What’s Next

Welcome to your go-to roundup of everything happening in the Splunk App Dev Community! Whether you're building ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco + Splunk! We’ve ...
OSZAR »