All Apps and Add-ons

Unable to forward Cisco ESA logs from Heavy Forwarder

spodda01da
Path Finder

Hello All,

I am having trouble forwarding CiscoESA (authentication) logs from HF to Indexers.

Here are the steps taken to configure it:
- Installed Splunk Add-on for Cisco ESA on HF & SH.
- Copied "Authentication logs" from ESA to HF via SCP
- Created following inputs.conf file under Splunk_TA_cisco-esa folder on HF:

   [monitor:///opt/splunk/etc/apps/Splunk_TA_cisco-esa/data/authentication/authentication.@20200325T075236.s]
   disabled = false
   index = ciscoesa
   sourcetype = cisco:esa:authentication

Not sure if I missed anything on HF as Windows events are being forwarder from same HF to Indexer without any issue.

Can anyone please suggest what could be the issue.

Thanks,

0 Karma
1 Solution

PavelP
Motivator

Hello @spodda01da,

  1. you mention "logs" (multiple) - the monitor stanza point to one single log and not to a folder. Does this particular log exists?
  2. To forward logs from HF to Indexer you need outputs.conf too (or configure forwarding). What does "splunk list forward-server" command show?

View solution in original post

0 Karma

PavelP
Motivator

Hello @spodda01da,

  1. you mention "logs" (multiple) - the monitor stanza point to one single log and not to a folder. Does this particular log exists?
  2. To forward logs from HF to Indexer you need outputs.conf too (or configure forwarding). What does "splunk list forward-server" command show?
0 Karma

spodda01da
Path Finder

Hi @PavelP,

Yes there are multiple logs, but I have selected one for now to verify if the events are being forwarded.

Splunk List forward-server command list the following indexers (I have renamed the indexer server name):

Active forwards:
indexer3.com:9997
Configured but inactive forwards:
indexer1.com:9997
indexer2.com:9997

0 Karma

PavelP
Motivator

Hi @spodda01da,

looks good! Now check that the logs are arriving on the indexer:
index=_internal cisco:esa:authentication

check that your role can access the ciscoesa index:
index=ciscoesa earliest=-10y latest=now

0 Karma

spodda01da
Path Finder

Hi @PavelP,

This has been resolved. The issue was with my search as I used the range of last 24 hours but I forgot the logs are older than 24 hours. I could find the events after changing Time Duration to "All Time".

Thanks again for your help!

0 Karma
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...