All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

My Splunk Add-on for Check Point OPSEC LEA configuration works on an indexer, but why not on a heavy forwarder?

hassanali
Explorer
‎11-29-2016 02:13 PM

I am trying to deploy the Splunk Add-on for Check Point OPSEC LEA on a heavy forwarder and the configuration is not working. I tried it on the indexer directly and it worked, but when I try to configure it on the forwarder with the same setup as the one on indexer with an added outputs.conf that sends data to port 5515, it doesn't work.
I am assuming I need to then only listen on 5515 at the Indexer.

0 Karma
Reply

gjanders
SplunkTrust
SplunkTrust
‎11-29-2016 11:24 PM

The instructions for Best practice: Forward search head data to the indexer layer should apply here, I would just use port 9997 unless you have a particular reason to use 5515...

Obviously I'm assuming you have your indexers already listening for incoming traffic on port 9997 , if not there is information in the documentation about this.

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
0 Karma
Reply

hassanali
Explorer
‎12-05-2016 12:36 PM

The port that is being used to send traffic is not the problem. I was testing multiple add-ons and using separate ports helps me disable indexing.
The problem is with the events not being forwarded, the same configuration works for indexing but not when I try to forward events.

0 Karma
Reply

gjanders
SplunkTrust
SplunkTrust
‎12-05-2016 04:57 PM

So to be clear, you have your indexer listening on port 5515 / configured in its inputs.ocnf and your heavy forwarder sending traffic to port 5515 via it's outputs.conf file?

And your saying that it does not work as expected?

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...