In a non-dsitributed architecture (your indexer is also the host receiving the events), you might want to keep Splunk running as a non-privilegied user but still be still receive syslog from remote hosts. You have (mainly) two solutions:

  • Setup your favorite syslog daemon (syslog-ng or rsyslogd) to listen to port 514, and then configure Splunk to read the syslog files (this will have the advantage to avoid missing any syslog message when you restart Splunk.

  • Use iptables to redirect incoming traffic from port 514 to an non-privilegied port (like 1514) and setup Splunk to listen to the same ports:

    iptables -A PREROUTING -t nat -p udp –dport 514 -j REDIRECT –to-port 1514
    iptables -A PREROUTING -t nat -p tcp –dport 514 -j REDIRECT –to-port 1514

  • March 13, 2012, 3:10 am lock

    Add your own comment or set a trackback

    Currently no comments

    1. No comment yet

    Add your own comment

    To prove you're a person (not a spam script), type the security word shown in the picture.
    Anti-Spam Image

    Follow comments according to this article through a RSS 2.0 feed