All Apps and Add-ons

My Splunk Add-on for Check Point OPSEC LEA configuration works on an indexer, but why not on a heavy forwarder?

hassanali
Explorer

I am trying to deploy the Splunk Add-on for Check Point OPSEC LEA on a heavy forwarder and the configuration is not working. I tried it on the indexer directly and it worked, but when I try to configure it on the forwarder with the same setup as the one on indexer with an added outputs.conf that sends data to port 5515, it doesn't work.
I am assuming I need to then only listen on 5515 at the Indexer.

0 Karma

gjanders
SplunkTrust
SplunkTrust

The instructions for Best practice: Forward search head data to the indexer layer should apply here, I would just use port 9997 unless you have a particular reason to use 5515...

Obviously I'm assuming you have your indexers already listening for incoming traffic on port 9997 , if not there is information in the documentation about this.

Alerts for Splunk Admins https://splunkbase.splunk.com/app/3796/
Version Control for Splunk https://splunkbase.splunk.com/app/4355/
0 Karma

hassanali
Explorer

The port that is being used to send traffic is not the problem. I was testing multiple add-ons and using separate ports helps me disable indexing.
The problem is with the events not being forwarded, the same configuration works for indexing but not when I try to forward events.

0 Karma

gjanders
SplunkTrust
SplunkTrust

So to be clear, you have your indexer listening on port 5515 / configured in its inputs.ocnf and your heavy forwarder sending traffic to port 5515 via it's outputs.conf file?

And your saying that it does not work as expected?

Alerts for Splunk Admins https://splunkbase.splunk.com/app/3796/
Version Control for Splunk https://splunkbase.splunk.com/app/4355/
0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!