Hi,
I'm troubleshooting a syslog feed on a non-standard port. I ran a tcpdump, and the data is coming into the server, but it's not appearing in Splunk. The app is on the heavy forwarder, and here's my inputs:
[udp://*:20514]
index=ecs_network
sourcetype=syslog
connection_host = dns
disabled = 0
I also tried it without the asterisk. When I execute `splunk list monitor` on this hfw, nothing appears for udp. Should it? Any other ideas?
↧