All Apps and Add-ons

My Splunk Add-on for Check Point OPSEC LEA configuration works on an indexer, but why not on a heavy forwarder?

hassanali
Explorer

I am trying to deploy the Splunk Add-on for Check Point OPSEC LEA on a heavy forwarder and the configuration is not working. I tried it on the indexer directly and it worked, but when I try to configure it on the forwarder with the same setup as the one on indexer with an added outputs.conf that sends data to port 5515, it doesn't work.
I am assuming I need to then only listen on 5515 at the Indexer.

0 Karma

gjanders
SplunkTrust
SplunkTrust

The instructions for Best practice: Forward search head data to the indexer layer should apply here, I would just use port 9997 unless you have a particular reason to use 5515...

Obviously I'm assuming you have your indexers already listening for incoming traffic on port 9997 , if not there is information in the documentation about this.

0 Karma

hassanali
Explorer

The port that is being used to send traffic is not the problem. I was testing multiple add-ons and using separate ports helps me disable indexing.
The problem is with the events not being forwarded, the same configuration works for indexing but not when I try to forward events.

0 Karma

gjanders
SplunkTrust
SplunkTrust

So to be clear, you have your indexer listening on port 5515 / configured in its inputs.ocnf and your heavy forwarder sending traffic to port 5515 via it's outputs.conf file?

And your saying that it does not work as expected?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...