Hello All,
I am having trouble forwarding CiscoESA (authentication) logs from HF to Indexers.
Here are the steps taken to configure it:
- Installed Splunk Add-on for Cisco ESA on HF & SH.
- Copied "Authentication logs" from ESA to HF via SCP
- Created following inputs.conf file under Splunk_TA_cisco-esa folder on HF:
[monitor:///opt/splunk/etc/apps/Splunk_TA_cisco-esa/data/authentication/authentication.@20200325T075236.s]
disabled = false
index = ciscoesa
sourcetype = cisco:esa:authentication
Not sure if I missed anything on HF as Windows events are being forwarder from same HF to Indexer without any issue.
Can anyone please suggest what could be the issue.
Thanks,
Hello @spodda01da,
Hello @spodda01da,
Hi @PavelP,
Yes there are multiple logs, but I have selected one for now to verify if the events are being forwarded.
Splunk List forward-server command list the following indexers (I have renamed the indexer server name):
Active forwards:
indexer3.com:9997
Configured but inactive forwards:
indexer1.com:9997
indexer2.com:9997
Hi @spodda01da,
looks good! Now check that the logs are arriving on the indexer:
index=_internal cisco:esa:authentication
check that your role can access the ciscoesa index:
index=ciscoesa earliest=-10y latest=now
Hi @PavelP,
This has been resolved. The issue was with my search as I used the range of last 24 hours but I forgot the logs are older than 24 hours. I could find the events after changing Time Duration to "All Time".
Thanks again for your help!