All Apps and Add-ons

Technology Add-on for Cisco Secure Access Control Server (ACS): Why am I unable to see any data after installing the add-on?

euroa
Engager

I installed the Technology Add-on for Cisco Secure Access Control Server (ACS) to a heavy forwarder and pointed the Cisco ACS device to send data to the heavy forwarder via udp 9010. I created an inputs.conf file with the following :

[udp://9010]
connection_host = dns
disabled = 0
followTail = 0
sourcetype = cisco:acs
crcSalt = 
index = cisco_secure_acs

and ensured that the port is opened however I am still unable to see any data in the index. Anyone have any ideas?

0 Karma

woodcock
Esteemed Legend

Sniff the port with tcpdump and see if the traffic is getting there. If missing, make sure that the sender is using UDP, not TCP and make sure that ACL/firewall/routes/etc. are allowing the traffic. But you should not be sending directly to Indexers, you should be sending to a syslog aggregator like syslog-ng and doing this:

http://www.georgestarcher.com/splunk-success-with-syslog/

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...