--- title: "Nasuni Connector for Splunk" slug: "splunk" tags: ["Configuration", "Splunk", "Syslog", "Troubleshooting"] updated: 2026-04-29T18:35:03Z published: 2026-04-29T18:35:03Z --- > ## Documentation Index > Fetch the complete documentation index at: https://docs.nasuni.com/llms.txt > Use this file to discover all available pages before exploring further. # Nasuni Connector for Splunk The Nasuni Connector for Splunk enables security and operations teams to monitor, investigate, and respond to storage-related events across their Nasuni environment. By ingesting and parsing syslog data from Nasuni Edge Appliances and the Nasuni Management Console (NMC), the app normalizes and enriches events for efficient search, correlation, and integration with Splunk SOAR workflows. ## **Overview** The Nasuni Connector for Splunk, when installed, automatically parses matching syslog messages and assigns key names to the relevant fields. It is available for installation from Splunkbase. ## **Configure the Nasuni Connector for Splunk** ### Step 1 — Install the app from Splunkbase 1. Log in to your Splunk instance and navigate to **Apps** in the top navigation bar. 2. Click **Find More Apps** to open the Splunkbase browser, then search for **Nasuni**. 3. Select the Nasuni app from the results and click **Install**. Splunk prompts for your Splunkbase credentials if not already authenticated. 4. Once installed, restart Splunk if prompted. The app appears in your **Apps** list. --- ### Step 2 — Enable the syslog listener 1. In Splunk, go to **Settings → Data Inputs → UDP** and click **New Local UDP**. 2. Enter `514` or another available port number. Set the **source type** to `syslog` and assign an appropriate **index** (e.g., `default`). 3. Save the input. Refer to the [Splunk documentation on monitoring TCP and UDP ports](https://docs.splunk.com/Documentation/Splunk/latest/Data/Monitornetworkports) for detailed guidance and platform-specific notes. > [!NOTE] > ***Note:****On Linux, Splunk must run as root (or have elevated privileges) to bind to ports below 1024. If port 514 is already in use by the OS syslog daemon (rsyslog/syslogd), disable that service's network listener first, or configure a port redirect from 514 to a higher port such as*`5514`. --- ### Step 3 — Configure the Nasuni Edge Appliance Before proceeding, ensure the selected UDP/TCP port (for example, 514) is open between each Edge Appliance and your Splunk instance. #### Enable syslog export (NMC) 1. Log in to the Nasuni Management Console (NMC). 2. Go to **Filers → Filer Settings → Syslog Export Settings** in the left navigation. 3. Select the Edge Appliance(s) you want to configure and click **Edit Filers**. 4. Under **Syslog Export**, enable syslog and enter the IP address or hostname of your Splunk instance as the syslog destination. If the port is not `514`, specify as `host:port`. 5. Toggle on the **Send Auditing Messages**, **Send Notification Messages**, and **Lowest Log Level → Info.** 6. Save your changes. The Edge Appliance begins forwarding generic Edge and NMC events to Splunk. Refer to the [Nasuni NMC Guide - Syslog Export Settings](https://docs.nasuni.com/docs/chapter-8-filers-page#syslog-export) for detailed guidance. #### (Optional) Enable volume auditing for filesystem audit events (NMC) 1. In the NMC, go to **Volumes → Auditing** under **Volume Services**. 2. Select the volume to audit and click **Edit Volumes**. 3. Set **Auditing Enabled** to **On** and select the event types to track. For ransomware coverage, include **Delete**, **Rename**, and **Security**. 4. Enable **Send Audit messages to syslog** and save. Filesystem audit events are now included in the syslog stream sent to Splunk. Refer to the [Nasuni NMC Guide - File System Auditing](https://docs.nasuni.com/docs/chapter-7-volumes-page#file-system-auditing) for detailed guidance. > [!NOTE] > ***Note:****Ransomware protection alerts and antivirus detection alerts are forwarded automatically once syslog export is enabled — no additional configuration is required for those event types*. ## Troubleshooting ### No events appear in Splunk - Verify the UDP port for data input is enabled in **Settings → Data Inputs → UDP.** - Confirm Splunk is running with sufficient privileges to listen on that port (root/admin on Linux). - Check that no other process (rsyslog, syslogd) is already occupying port 514 — run `netstat -nlup` on Linux to verify. - Test network connectivity between the Nasuni Edge Appliance and the Splunk host over UDP/TCP (for example, port 514). ### Events are arriving, but not parsing correctly - Confirm the sourcetype is set to `syslog` on the UDP data input. - Verify that the Nasuni app is installed on the same Splunk instance that receives the data, not just the search head. - Restart Splunk after installation if this step was skipped. ### Filesystem audit events missing - Volume auditing must be enabled per volume in the NMC — confirm it is enabled for each volume you expect to see events from. - Check that **Send Audit messages to syslog** is enabled in the volume auditing settings. - Verify th**at th**e desired audit event types (Delete, Rename, Security, and so forth) are selected. ### Ransomware or antivirus alerts are missing - Confirm syslog export is enabled and pointing to the correct Splunk IP address or hostname in **NMC → Filers → Notifications.** - These alerts are generated by Nasuni's Ransomware Protection engine. Verify the relevant Nasuni features (Ransomware Protection, antivirus scanning) are licensed and active on the appliance. ## General checks - Ensure firewall rules allow UDP/TCP traffic on port 514 from all Edge Appliances to the Splunk instance. - If running Splunk Cloud, direct UDP inputs are not supported; a forwarder instance must be used as an intermediary to receive syslog and forward it to the cloud instance. - After any configuration change in the NMC, allow a few minutes for events to begin flowing.