topic Re: Utilize on-prem Splunk Heavy Forwarder with Cisco Security Cloud for FMC logs into Splunk Cloud instance in Getting Data In

Utilize on-prem Splunk Heavy Forwarder with Cisco Security Cloud for FMC logs into Splunk Cloud instance

parthbhawsar — Fri, 13 Jun 2025 15:09:33 GMT

Hello,

I have been trying to configure this application on one of our on-prem Heavy forwarder to be able to ingest our FMC logs to our Splunk Cloud instance. I have so far been able to install the latest version of the app on Heavy Forwarder and configure the FMC section via estreamer configuration and was able to save it. I have also created the index both on HF and Splunk Cloud instance. However, I don't seem to be getting the logs into the cloud instance through that source. I am trying to find out what additional steps are needed to be able to make it work. Hopefully, if someone has had similar issue and were able to fix it or know how to resolve it then please let me know.

#ciscosecuritycloud

Thanks in advance!

Regards,

Parth

Re: Utilize on-prem Splunk Heavy Forwarder with Cisco Security Cloud for FMC logs into Splunk Cloud instance

PickleRick — Fri, 13 Jun 2025 20:42:33 GMT

1. Be a bit more precise on how you defined the HF

2. You don't need an index on the HF.

Re: Utilize on-prem Splunk Heavy Forwarder with Cisco Security Cloud for FMC logs into Splunk Cloud instance

livehybrid — Sat, 14 Jun 2025 10:20:56 GMT

Hi @parthbhawsar

Have you been able to confirm that HF is sending all its events to Splunk Cloud? ie Have you installed the UF app from your Splunk Cloud instance and been able to see the HF's _internal logs in Splunk Cloud?

If so are you able to see any error logs in _internal in relation to the Cisco app? For example:

index=_internal "error" ("cisco" OR "fmc")

🌟 Did this answer help you? If so, please consider:

Adding karma to show it was useful
Marking it as the solution if it resolved your issue
Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Re: Utilize on-prem Splunk Heavy Forwarder with Cisco Security Cloud for FMC logs into Splunk Cloud instance

kiran_panchavat — Mon, 16 Jun 2025 02:56:46 GMT

@parthbhawsar

We have recently configured the Cisco FMC and successfully integrated it with Splunk. Could you please check the error you are encountering in Splunk so that I can assist you further? If you continue to face any issues, I would recommend reaching out to the Cisco TAC team for additional support.

Re: Utilize on-prem Splunk Heavy Forwarder with Cisco Security Cloud for FMC logs into Splunk Cloud instance

parthbhawsar — Tue, 17 Jun 2025 16:38:18 GMT

I have configured the Cisco Security Cloud app on the HF because our FMC is not allowed to have any outbound access. As far as the configuration is concerned, I was able to import the cert from FMC and save the configuration in the Cisco Security Cloud app. I also created the index on HF as well as cloud instance. But, I don't see any logs from that source into the cloud. I checked the internal logs for the HF and I don't see any errors related to this.

I am adding the screenshot from the app configuration on the HF. It does not show the status as "Connected"

I tried opening a Cisco TAC Case, but as soon as I select the product category to Splunk, it asks me to open a ticket with Splunk support. So, I have been trying to figure out how to contact Cisco Support for the app add-on.

FYI additional info, I also have the Cisco Security Cloud app on the cloud instance, which I am using for integration with another Cisco cloud product which seems to be working fine.

Thank you!

Parth

Re: Utilize on-prem Splunk Heavy Forwarder with Cisco Security Cloud for FMC logs into Splunk Cloud instance

parthbhawsar — Tue, 17 Jun 2025 16:40:46 GMT

@livehybrid I tried the query that you suggested to check internal logs for my HF and tweaked key words to see anything related to FMC/Cisco/estreamer. But, it does not show any error logs.