All Apps and Add-ons

My Splunk Add-on for Check Point OPSEC LEA configuration works on an indexer, but why not on a heavy forwarder?

hassanali
Explorer

I am trying to deploy the Splunk Add-on for Check Point OPSEC LEA on a heavy forwarder and the configuration is not working. I tried it on the indexer directly and it worked, but when I try to configure it on the forwarder with the same setup as the one on indexer with an added outputs.conf that sends data to port 5515, it doesn't work.
I am assuming I need to then only listen on 5515 at the Indexer.

0 Karma

gjanders
SplunkTrust
SplunkTrust

The instructions for Best practice: Forward search head data to the indexer layer should apply here, I would just use port 9997 unless you have a particular reason to use 5515...

Obviously I'm assuming you have your indexers already listening for incoming traffic on port 9997 , if not there is information in the documentation about this.

0 Karma

hassanali
Explorer

The port that is being used to send traffic is not the problem. I was testing multiple add-ons and using separate ports helps me disable indexing.
The problem is with the events not being forwarded, the same configuration works for indexing but not when I try to forward events.

0 Karma

gjanders
SplunkTrust
SplunkTrust

So to be clear, you have your indexer listening on port 5515 / configured in its inputs.ocnf and your heavy forwarder sending traffic to port 5515 via it's outputs.conf file?

And your saying that it does not work as expected?

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!