Getting Data In

Connecting Universal Forwarder to Heavy Forwarder Issue?

DanAlexander
Communicator

Hello Community,

I am having issues connecting my Universal Forwarder with a Heavy Forwarder.

I have the following set up: UF-->HF-->IDx

I can see the logs from HF to IDx, but not sure why I cannot see logs from UF-->HF

The connection HF-->IDx is [splunktcp-ssl] whereas the connection UF-->HF is [tcpout]

My question is how to troubleshoot the broken connection? I read the UF logs but still cannot the issue.

Any help much appreciated.

Thank you All!

0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @DanAlexander ,

yes you can use the same connection mechanism for UF->HF and HF->IDX because it's the same thing.

You can use SSL in both of them or not, as you like.

About the use of the correct password, it's usually assured by the way to deploy configurations: if you use a Deployment Server you're sure to deploy the correct password.

for m ore infos see at https://docs.splunk.com/Documentation/Splunk/9.0.4/Security/AboutsecuringyourSplunkconfigurationwith... and following pages.

About certificates, you can use your own certificates (if you have) or the Splunk auto generated ones, the process is described in the above link.

Ciao.

Giuseppe

View solution in original post

DanAlexander
Communicator

Hi @gcusello ,

Thanks for the reply.

I wanted to ask, may I use the same connection mechanism of the indexers (I have 3 of them) [splunktcp-ssl] talking to the HF for the UF-->HF?

The UFs can successfully talk to the indexers using [tcpout] and I have [splunktcp-ssl] on the IDx

How can I make sure the connecting nodes using the correct password/certificates for the SSL connection. Any link helping with explanation on how to properly set up [splunktcp-ssl] will be really helpful.

Where are those CA obtained from? I am not too familiar with the process... does this need to be paid for or is it included in the license I am paying for.

Thank you!

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @DanAlexander ,

yes you can use the same connection mechanism for UF->HF and HF->IDX because it's the same thing.

You can use SSL in both of them or not, as you like.

About the use of the correct password, it's usually assured by the way to deploy configurations: if you use a Deployment Server you're sure to deploy the correct password.

for m ore infos see at https://docs.splunk.com/Documentation/Splunk/9.0.4/Security/AboutsecuringyourSplunkconfigurationwith... and following pages.

About certificates, you can use your own certificates (if you have) or the Splunk auto generated ones, the process is described in the above link.

Ciao.

Giuseppe

DanAlexander
Communicator

Hi @gcusello

Your time is much appreciated!

Thank you very much, I am sure I can manage it after your feedback.

Best regards,

Dan

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @DanAlexander,

at first check if you enabled receiving in the HF, and if you correctly configured your UF to send logs to the HF.

then, if you're using ssl, check password and certificate.

You can throubleshoot connection between UF and HF using telnet on the UF.

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...