Question : SC4S starts and sends event to Splunk server but doesn't listen on 514 #2467
-
|
Hi, Installed the SC4S on ubuntu 22, disabled syslog-ng (tried enabling/starting - no difference) Is there any source/config that still has to be added to create the listeners? Haven't found this part in the docs https://splunk.github.io/splunk-connect-for-syslog/ syslog-ng 4 (4.7.1) May 19 14:24:04 ip-172-31-91-188 entrypoint.sh[6451]: SC4S_ENV_CHECK_HEC: Splunk HEC connection test successful to index=main for sourcetype=sc4s:fallback... Thanks! |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
|
Hello, @advissor !
|
Beta Was this translation helpful? Give feedback.
Hello, @advissor !
What I can propose to check:
First of all check that port 514 open for container (you can check port mapping for sc4s container)
Check that you haven't firewall on sc4s server or your device that producing log messages, if you have firewall then you need to configure it correctly
run
echo "<11>Jan 25 17:57:16 10.10.10.2 : %FTD-6-605005: Login permitted from manual/61023 to Sample_Dest_Web:##dest1##/11347 for user sample_user3" | nc 127.0.0.1 514where
127.0.0.1- ip of sc4s server,Jan 25 17:57:16- date of your log message, please change it on today.if new message will appear (in date
Jan 25 17:57:16in example case, don't forget to expand search time range for …