amiracle
commented
6 years ago First make sure you allowed the traffic through the windows firewall (UDP:514). Next, make sure Splunk’s service account has Administrator privilege.
Closed lacktherof closed 6 years ago
amiracle
commented
6 years ago First make sure you allowed the traffic through the windows firewall (UDP:514). Next, make sure Splunk’s service account has Administrator privilege.
lacktherof
commented
6 years ago amiracle, Yes, UDP 514 is open on the splunk box and service account has admin privilege. Nothing seems to work.
amiracle
commented
6 years ago When you run index=homemonitor, do you see any results?
lacktherof
commented
6 years ago Hi Kam,
Here’s a screen shot. No results. Frustrating.
Thanks for answering.
From: Kamilo Amir [mailto:notifications@github.com] Sent: Sunday, February 11, 2018 7:08 PM To: amiracle/homemonitor homemonitor@noreply.github.com Cc: lacktherof bud.melman000@gmail.com; Author author@noreply.github.com Subject: Re: [amiracle/homemonitor] No Data showing up (#15)
When you run index=homemonitor, do you see any results?
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/amiracle/homemonitor/issues/15#issuecomment-364803573 , or mute the thread https://github.com/notifications/unsubscribe-auth/AiUEuF5g8Riv7QEF_XvECu9da0CiXYC2ks5tT4DSgaJpZM4RzQj2 . https://github.com/notifications/beacon/AiUEuG_KkF9fdijIqEGB8XgikT6aCA0xks5tT4DSgaJpZM4RzQj2.gif
amiracle
commented
6 years ago I did not see the screen shot. A couple things I would do to verify the data coming into your machine. First, make sure you are in the home monitor app and click search. Once in search do a simple “index=homemonitor”
amiracle
commented
6 years ago Sorry about the closing, hit the wrong button.
Next, do a telnet session to the windows box to see if port 514 is open:
C:>telnet splunkserver 514
Where splunkserver is either the IP or hostname that resolves to the server (localhost will work if you’re on the machine itself). If it shows “Connecting...” then you know Splunk is listening on port 514. If it just closes, then the port is not open and we can do other things to get it to work. One would be to open a new UDP port 1514.
lacktherof
commented
6 years ago Kam,
I used a local host telnet on the splunk box with the following output:
c:>telnet localhost 514
Connecting To localhost...Could not open connection to the host, on port 514: Connect failed
From: Kamilo Amir [mailto:notifications@github.com] Sent: Tuesday, February 13, 2018 7:58 AM To: amiracle/homemonitor homemonitor@noreply.github.com Cc: lacktherof bud.melman000@gmail.com; Author author@noreply.github.com Subject: Re: [amiracle/homemonitor] No Data showing up (#15)
Sorry about the closing, hit the wrong button.
Next, do a telnet session to the windows box to see if port 514 is open:
C:>telnet splunkserver 514
Where splunkserver is either the IP or hostname that resolves to the server (localhost will work if you’re on the machine itself). If it shows “Connecting...” then you know Splunk is listening on port 514. If it just closes, then the port is not open and we can do other things to get it to work. One would be to open a new UDP port 1514.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/amiracle/homemonitor/issues/15#issuecomment-365259324 , or mute the thread https://github.com/notifications/unsubscribe-auth/AiUEuGtYmCF_9y7lE6aqeVYBmDzuq2Sqks5tUYbpgaJpZM4RzQj2 . https://github.com/notifications/beacon/AiUEuAZFwa82OL1P8ZiLyfMS12ZWZTEEks5tUYbpgaJpZM4RzQj2.gif
lacktherof
commented
6 years ago Bummer,
I tried UDP 1514 (I opened up the port on Windows firewall) and still no joy
c:>telnet localhost 1514
Connecting To localhost...Could not open connection to the host, on port 1514: Connect failed
From: Larry [mailto:bud.melman000@gmail.com] Sent: Tuesday, February 13, 2018 6:37 PM To: 'amiracle/homemonitor' reply@reply.github.com; 'amiracle/homemonitor' homemonitor@noreply.github.com Cc: 'Author' author@noreply.github.com Subject: RE: [amiracle/homemonitor] No Data showing up (#15)
Kam,
I used a local host telnet on the splunk box with the following output:
c:>telnet localhost 514
Connecting To localhost...Could not open connection to the host, on port 514: Connect failed
From: Kamilo Amir [mailto:notifications@github.com] Sent: Tuesday, February 13, 2018 7:58 AM To: amiracle/homemonitor homemonitor@noreply.github.com Cc: lacktherof bud.melman000@gmail.com; Author author@noreply.github.com Subject: Re: [amiracle/homemonitor] No Data showing up (#15)
Sorry about the closing, hit the wrong button.
Next, do a telnet session to the windows box to see if port 514 is open:
C:>telnet splunkserver 514
Where splunkserver is either the IP or hostname that resolves to the server (localhost will work if you’re on the machine itself). If it shows “Connecting...” then you know Splunk is listening on port 514. If it just closes, then the port is not open and we can do other things to get it to work. One would be to open a new UDP port 1514.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/amiracle/homemonitor/issues/15#issuecomment-365259324 , or mute the thread https://github.com/notifications/unsubscribe-auth/AiUEuGtYmCF_9y7lE6aqeVYBmDzuq2Sqks5tUYbpgaJpZM4RzQj2 .
lacktherof
commented
6 years ago I tried netstat on local machine (edited list down so it’s not too long). Splunk does show up on 514 and 1514. Not sure what the rest means.
c:>netstat -abno
TCP [::]:49707 [::]:0 LISTENING 684
[lsass.exe]
UDP 0.0.0.0:514 : 3076
[splunkd.exe]
UDP 0.0.0.0:1514 : 3076
[splunkd.exe]
UDP 0.0.0.0:3389 : 1080
TermService
[svchost.exe]
From: Larry [mailto:bud.melman000@gmail.com] Sent: Tuesday, February 13, 2018 6:43 PM To: 'amiracle/homemonitor' reply@reply.github.com; 'amiracle/homemonitor' homemonitor@noreply.github.com Cc: 'Author' author@noreply.github.com Subject: RE: [amiracle/homemonitor] No Data showing up (#15)
Bummer,
I tried UDP 1514 (I opened up the port on Windows firewall) and still no joy
c:>telnet localhost 1514
Connecting To localhost...Could not open connection to the host, on port 1514: Connect failed
From: Larry [mailto:bud.melman000@gmail.com] Sent: Tuesday, February 13, 2018 6:37 PM To: 'amiracle/homemonitor' reply@reply.github.com; 'amiracle/homemonitor' <homemonitor@noreply.github.com mailto:homemonitor@noreply.github.com > Cc: 'Author' <author@noreply.github.com mailto:author@noreply.github.com > Subject: RE: [amiracle/homemonitor] No Data showing up (#15)
Kam,
I used a local host telnet on the splunk box with the following output:
c:>telnet localhost 514
Connecting To localhost...Could not open connection to the host, on port 514: Connect failed
From: Kamilo Amir [mailto:notifications@github.com] Sent: Tuesday, February 13, 2018 7:58 AM To: amiracle/homemonitor <homemonitor@noreply.github.com mailto:homemonitor@noreply.github.com > Cc: lacktherof <bud.melman000@gmail.com mailto:bud.melman000@gmail.com >; Author <author@noreply.github.com mailto:author@noreply.github.com > Subject: Re: [amiracle/homemonitor] No Data showing up (#15)
Sorry about the closing, hit the wrong button.
Next, do a telnet session to the windows box to see if port 514 is open:
C:>telnet splunkserver 514
Where splunkserver is either the IP or hostname that resolves to the server (localhost will work if you’re on the machine itself). If it shows “Connecting...” then you know Splunk is listening on port 514. If it just closes, then the port is not open and we can do other things to get it to work. One would be to open a new UDP port 1514.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/amiracle/homemonitor/issues/15#issuecomment-365259324 , or mute the thread https://github.com/notifications/unsubscribe-auth/AiUEuGtYmCF_9y7lE6aqeVYBmDzuq2Sqks5tUYbpgaJpZM4RzQj2 .
lacktherof
commented
6 years ago Just a few more details on my setup: Win 10 Pro is running Splunk. R7000 router (forked with Asus-XWRT). Logs set to forward to Splunk server. Opened up UDP 514 and 1514 on SPlunk Server. Still nothing.
I can’t TELNET into the ports.
Thoughts?
Thanks.
I tried netstat on local machine (edited list down so it’s not too long). Splunk does show up on 514 and 1514. Not sure what the rest means.
c:>netstat -abno
TCP [::]:49707 [::]:0 LISTENING 684
[lsass.exe]
UDP 0.0.0.0:514 : 3076
[splunkd.exe]
UDP 0.0.0.0:1514 : 3076
[splunkd.exe]
UDP 0.0.0.0:3389 : 1080
TermService
[svchost.exe]
From: Larry [mailto:bud.melman000@gmail.com] Sent: Tuesday, February 13, 2018 6:43 PM To: 'amiracle/homemonitor' reply@reply.github.com; 'amiracle/homemonitor' <homemonitor@noreply.github.com mailto:homemonitor@noreply.github.com > Cc: 'Author' <author@noreply.github.com mailto:author@noreply.github.com > Subject: RE: [amiracle/homemonitor] No Data showing up (#15)
Bummer,
I tried UDP 1514 (I opened up the port on Windows firewall) and still no joy
c:>telnet localhost 1514
Connecting To localhost...Could not open connection to the host, on port 1514: Connect failed
From: Larry [mailto:bud.melman000@gmail.com] Sent: Tuesday, February 13, 2018 6:37 PM To: 'amiracle/homemonitor' reply@reply.github.com; 'amiracle/homemonitor' <homemonitor@noreply.github.com mailto:homemonitor@noreply.github.com > Cc: 'Author' <author@noreply.github.com mailto:author@noreply.github.com > Subject: RE: [amiracle/homemonitor] No Data showing up (#15)
Kam,
I used a local host telnet on the splunk box with the following output:
c:>telnet localhost 514
Connecting To localhost...Could not open connection to the host, on port 514: Connect failed
From: Kamilo Amir [mailto:notifications@github.com] Sent: Tuesday, February 13, 2018 7:58 AM To: amiracle/homemonitor <homemonitor@noreply.github.com mailto:homemonitor@noreply.github.com > Cc: lacktherof <bud.melman000@gmail.com mailto:bud.melman000@gmail.com >; Author <author@noreply.github.com mailto:author@noreply.github.com > Subject: Re: [amiracle/homemonitor] No Data showing up (#15)
Sorry about the closing, hit the wrong button.
Next, do a telnet session to the windows box to see if port 514 is open:
C:>telnet splunkserver 514
Where splunkserver is either the IP or hostname that resolves to the server (localhost will work if you’re on the machine itself). If it shows “Connecting...” then you know Splunk is listening on port 514. If it just closes, then the port is not open and we can do other things to get it to work. One would be to open a new UDP port 1514.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/amiracle/homemonitor/issues/15#issuecomment-365259324 , or mute the thread https://github.com/notifications/unsubscribe-auth/AiUEuGtYmCF_9y7lE6aqeVYBmDzuq2Sqks5tUYbpgaJpZM4RzQj2 .
amiracle
commented
6 years ago Since your windows box is not opening up either port 514 or 1514, this tells me Spunk does not have the right permissions to open the ports. I would recommend that you go to your services (open services.msc) and see what account is running the Splunk service. Make sure the account has administrator privileges ( [http://docs.splunk.com/Documentation/Splunk/7.0.2/Installation/ChoosetheuserSplunkshouldrunas] ) .
Once you grant splunk admin rights, then it should be able to open the ports necessary for your router to send its syslog data into Splunk. One last check is to make sure that your Windows Firewall is open on UDP:514.
lacktherof
commented
6 years ago Hi Kam,
I installed Splunk with admin credentails and it has admin permissions. Again, I have splunk running ona Win10 Pro laptop all by itself. I’m a little confused on limitations if I instal as a local system user (I do not have Active Directory on my home network). “The Local System user has access to all data on the local machine by default, but nothing else.” Does that mean it cant monitor syslogs sent to it by my router?
Thanks.
Also, for what it’s worth; it looks like I.m not the only one who has this problem (see link below). Is there something we are missing?
Thanks.
https://answers.splunk.com/answers/496888/home-monitor-how-to-configure-the-app-to-get-syslo.html
From: Kamilo Amir [mailto:notifications@github.com] Sent: Saturday, February 17, 2018 10:12 PM To: amiracle/homemonitor homemonitor@noreply.github.com Cc: lacktherof bud.melman000@gmail.com; Author author@noreply.github.com Subject: Re: [amiracle/homemonitor] No Data showing up (#15)
Since your windows box is not opening up either port 514 or 1514, this tells me Spunk does not have the right permissions to open the ports. I would recommend that you go to your services (open services.msc) and see what account is running the Splunk service. Make sure the account has administrator privileges ( [http://docs.splunk.com/Documentation/Splunk/7.0.2/Installation/ChoosetheuserSplunkshouldrunas] ) .
Once you grant splunk admin rights, then it should be able to open the ports necessary for your router to send its syslog data into Splunk. One last check is to make sure that your Windows Firewall is open on UDP:514.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/amiracle/homemonitor/issues/15#issuecomment-366489218 , or mute the thread https://github.com/notifications/unsubscribe-auth/AiUEuNJlTI8BcjVH41Fw-hLrT-GXUPbzks5tV5T6gaJpZM4RzQj2 . https://github.com/notifications/beacon/AiUEuD9TdNP-YnNFwws-3zBzDD9TWUY1ks5tV5T6gaJpZM4RzQj2.gif
amiracle
commented
6 years ago https://github.com/amiracle/homemonitor/wiki/Windows-10-and-Splunk-Enabling-syslog-UDP-514
I setup a page that walks through setting up Splunk with the firewall. Can you tell me your Windows 10 version (Pro, S, EDU etc.)? Also, can you run "netstat -an" and see if UDP 0.0.0.0:514 * shows up?
lacktherof
commented
6 years ago Hi Kam,
Not sure if you get the attachement. It’s my SPlunk Index file.
From: Kamilo Amir [mailto:notifications@github.com] Sent: Monday, February 19, 2018 2:45 PM To: amiracle/homemonitor homemonitor@noreply.github.com Cc: lacktherof bud.melman000@gmail.com; Author author@noreply.github.com Subject: Re: [amiracle/homemonitor] No Data showing up (#15)
https://github.com/amiracle/homemonitor/wiki/Windows-10-and-Splunk-Enabling-syslog-UDP-514
I setup a page that walks through setting up Splunk with the firewall. Can you tell me your Windows 10 version (Pro, S, EDU etc.)? Also, can you run "netstat -an" and see if UDP 0.0.0.0:514 * shows up?
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/amiracle/homemonitor/issues/15#issuecomment-366787075 , or mute the thread https://github.com/notifications/unsubscribe-auth/AiUEuPDG6zj0-RDLvLtASK2RrszBdI58ks5tWc8wgaJpZM4RzQj2 . https://github.com/notifications/beacon/AiUEuJ_x_kLRI0CmYNJpkQkW3eFCqwruks5tWc8wgaJpZM4RzQj2.gif
amiracle
commented
6 years ago I did not get any attachments. Are you still not able to get the data into your Windows 10 box?
amiracle
commented
6 years ago Closing the issue, if it comes back up please re-open.
lacktherof
commented
6 years ago Cool. Thanks. Issue is closed.
From: Kamilo Amir [mailto:notifications@github.com] Sent: Friday, May 25, 2018 10:06 AM To: amiracle/homemonitor homemonitor@noreply.github.com Cc: lacktherof bud.melman000@gmail.com; Author author@noreply.github.com Subject: Re: [amiracle/homemonitor] No Data showing up (#15)
Closing the issue, if it comes back up please re-open.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/amiracle/homemonitor/issues/15#issuecomment-392068787 , or mute the thread https://github.com/notifications/unsubscribe-auth/AiUEuOWm42chZpHdyuBPKaVjtfElXHN8ks5t2A_IgaJpZM4RzQj2 . https://github.com/notifications/beacon/AiUEuCD9SJfjUl73-90OfEf-o-5n0Z9qks5t2A_IgaJpZM4RzQj2.gif
Hi Kam, I'm running a windows 10 box as my home monitor (splunk) server. Running a R7000 forked with Asus-WRT. Batting zero on getting any inputs into the Win 10 box. All dashboards light up "no results found". I know my router is sending logs as they show up in my NAS when I direct them there. However, I cant get home monitor to do anything. Yes, port 514 is set up to accept the connection in Win10. Thoughts?