Getting Data In

Connecting Universal Forwarder to Heavy Forwarder Issue?

DanAlexander
Communicator

Hello Community,

I am having issues connecting my Universal Forwarder with a Heavy Forwarder.

I have the following set up: UF-->HF-->IDx

I can see the logs from HF to IDx, but not sure why I cannot see logs from UF-->HF

The connection HF-->IDx is [splunktcp-ssl] whereas the connection UF-->HF is [tcpout]

My question is how to troubleshoot the broken connection? I read the UF logs but still cannot the issue.

Any help much appreciated.

Thank you All!

0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @DanAlexander ,

yes you can use the same connection mechanism for UF->HF and HF->IDX because it's the same thing.

You can use SSL in both of them or not, as you like.

About the use of the correct password, it's usually assured by the way to deploy configurations: if you use a Deployment Server you're sure to deploy the correct password.

for m ore infos see at https://docs.splunk.com/Documentation/Splunk/9.0.4/Security/AboutsecuringyourSplunkconfigurationwith... and following pages.

About certificates, you can use your own certificates (if you have) or the Splunk auto generated ones, the process is described in the above link.

Ciao.

Giuseppe

View solution in original post

DanAlexander
Communicator

Hi @gcusello ,

Thanks for the reply.

I wanted to ask, may I use the same connection mechanism of the indexers (I have 3 of them) [splunktcp-ssl] talking to the HF for the UF-->HF?

The UFs can successfully talk to the indexers using [tcpout] and I have [splunktcp-ssl] on the IDx

How can I make sure the connecting nodes using the correct password/certificates for the SSL connection. Any link helping with explanation on how to properly set up [splunktcp-ssl] will be really helpful.

Where are those CA obtained from? I am not too familiar with the process... does this need to be paid for or is it included in the license I am paying for.

Thank you!

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @DanAlexander ,

yes you can use the same connection mechanism for UF->HF and HF->IDX because it's the same thing.

You can use SSL in both of them or not, as you like.

About the use of the correct password, it's usually assured by the way to deploy configurations: if you use a Deployment Server you're sure to deploy the correct password.

for m ore infos see at https://docs.splunk.com/Documentation/Splunk/9.0.4/Security/AboutsecuringyourSplunkconfigurationwith... and following pages.

About certificates, you can use your own certificates (if you have) or the Splunk auto generated ones, the process is described in the above link.

Ciao.

Giuseppe

DanAlexander
Communicator

Hi @gcusello

Your time is much appreciated!

Thank you very much, I am sure I can manage it after your feedback.

Best regards,

Dan

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @DanAlexander,

at first check if you enabled receiving in the HF, and if you correctly configured your UF to send logs to the HF.

then, if you're using ssl, check password and certificate.

You can throubleshoot connection between UF and HF using telnet on the UF.

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...