Knowledge Management

Is there any log file maintained for UseAck activity?

Campbell04
New Member

Our IT auditors are asking if there is a method/means to view the useACK activity for completeness.

Tags (2)
0 Karma
1 Solution

MuS
SplunkTrust
SplunkTrust

Hi Campbell04,

Yes, and No.
By default you will only get a message if the universal forwarder is sending events again.

BUT, one can increase the logging for any tcpout* channels which would give you the messages you are after, BUT (yes, another but) this will be a lot of additional events and therefore network traffic).

Hope this helps ...

cheers, MuS

View solution in original post

0 Karma

MuS
SplunkTrust
SplunkTrust

Hi Campbell04,

Yes, and No.
By default you will only get a message if the universal forwarder is sending events again.

BUT, one can increase the logging for any tcpout* channels which would give you the messages you are after, BUT (yes, another but) this will be a lot of additional events and therefore network traffic).

Hope this helps ...

cheers, MuS

0 Karma

Campbell04
New Member

Thanks. Where would you see these messages if the tcpout were increased? That is what I'm after.

0 Karma

MuS
SplunkTrust
SplunkTrust

Hi Campbell04,

the universal forwarder will log a running number for each event in splunkd.log or index=_internal, but here are your next two problems : this running number has no direct link to the event (one might get this information by turning on more debug logging on all instances), and _internal will only be kept for 30 days be default.

cheers, MuS

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...