Hello Community,
I am having issues connecting my Universal Forwarder with a Heavy Forwarder.
I have the following set up: UF-->HF-->IDx
I can see the logs from HF to IDx, but not sure why I cannot see logs from UF-->HF
The connection HF-->IDx is [splunktcp-ssl] whereas the connection UF-->HF is [tcpout]
My question is how to troubleshoot the broken connection? I read the UF logs but still cannot the issue.
Any help much appreciated.
Thank you All!
Hi @DanAlexander ,
yes you can use the same connection mechanism for UF->HF and HF->IDX because it's the same thing.
You can use SSL in both of them or not, as you like.
About the use of the correct password, it's usually assured by the way to deploy configurations: if you use a Deployment Server you're sure to deploy the correct password.
for m ore infos see at https://docs.splunk.com/Documentation/Splunk/9.0.4/Security/AboutsecuringyourSplunkconfigurationwith... and following pages.
About certificates, you can use your own certificates (if you have) or the Splunk auto generated ones, the process is described in the above link.
Ciao.
Giuseppe
Hi @gcusello ,
Thanks for the reply.
I wanted to ask, may I use the same connection mechanism of the indexers (I have 3 of them) [splunktcp-ssl] talking to the HF for the UF-->HF?
The UFs can successfully talk to the indexers using [tcpout] and I have [splunktcp-ssl] on the IDx
How can I make sure the connecting nodes using the correct password/certificates for the SSL connection. Any link helping with explanation on how to properly set up [splunktcp-ssl] will be really helpful.
Where are those CA obtained from? I am not too familiar with the process... does this need to be paid for or is it included in the license I am paying for.
Thank you!
Hi @DanAlexander ,
yes you can use the same connection mechanism for UF->HF and HF->IDX because it's the same thing.
You can use SSL in both of them or not, as you like.
About the use of the correct password, it's usually assured by the way to deploy configurations: if you use a Deployment Server you're sure to deploy the correct password.
for m ore infos see at https://docs.splunk.com/Documentation/Splunk/9.0.4/Security/AboutsecuringyourSplunkconfigurationwith... and following pages.
About certificates, you can use your own certificates (if you have) or the Splunk auto generated ones, the process is described in the above link.
Ciao.
Giuseppe
Hi @gcusello,
Your time is much appreciated!
Thank you very much, I am sure I can manage it after your feedback.
Best regards,
Dan
Hi @DanAlexander,
at first check if you enabled receiving in the HF, and if you correctly configured your UF to send logs to the HF.
then, if you're using ssl, check password and certificate.
You can throubleshoot connection between UF and HF using telnet on the UF.
Ciao.
Giuseppe