I am trying to get the Universal Forwarder to forward event logs (System and Security) from Windows to syslog on Linux. Nothing happens. The Linux box does not receive any packets addressed to port 514.
The computers are directly connected, the firewall on the windows machine is off and the netfilter firewall on the linux machine just accepts everything.
The machines can ping each other, and the windows machine can access the linux machine using HTTP.
To create log entries I clear the log file, and windows creates one log record to say that this happens. (I have also tried logging off and on again, and also opening a command window. No better.)
The file . . etcsystemlocaloutputs.conf says:
Any suggestions while I still have some hair?
Can you verify syslog is open on your linux box with netstat -an|grep 514? You should see something like this:
answered 08 Aug '11, 00:11
Just to add to chrisrex's post...as port 514 is in the privileged port range, your Splunk Indexer on Linux would have to be run with "root" permissions for UDP port 514 to open.
Also, you could try running a network sniffer such as "wireshark" on the windows machine to ensure that syslog packets are actually being sent out over the network interface.
answered 08 Aug '11, 03:13