I am trying to deploy the Splunk Add-on for Check Point OPSEC LEA on a heavy forwarder and the configuration is not working. I tried it on the indexer directly and it worked, but when I try to configure it on the forwarder with the same setup as the one on indexer with an added outputs.conf that sends data to port 5515, it doesn't work.
I am assuming I need to then only listen on 5515 at the Indexer.
The instructions for Best practice: Forward search head data to the indexer layer should apply here, I would just use port 9997 unless you have a particular reason to use 5515...
Obviously I'm assuming you have your indexers already listening for incoming traffic on port 9997 , if not there is information in the documentation about this.
The port that is being used to send traffic is not the problem. I was testing multiple add-ons and using separate ports helps me disable indexing.
The problem is with the events not being forwarded, the same configuration works for indexing but not when I try to forward events.
So to be clear, you have your indexer listening on port 5515 / configured in its inputs.ocnf and your heavy forwarder sending traffic to port 5515 via it's outputs.conf file?
And your saying that it does not work as expected?