I am trying to deploy the Splunk Add-on for Check Point OPSEC LEA on a heavy forwarder and the configuration is not working. I tried it on the indexer directly and it worked, but when I try to configure it on the forwarder with the same setup as the one on indexer with an added outputs.conf that sends data to port 5515, it doesn't work.
I am assuming I need to then only listen on 5515 at the Indexer.
The port that is being used to send traffic is not the problem. I was testing multiple add-ons and using separate ports helps me disable indexing.
The problem is with the events not being forwarded, the same configuration works for indexing but not when I try to forward events.