How to ingest CAS Logs from servers running old Un...

nadeemahmed · ‎08-23-2022

Hi all,

I am pretty new to splunk myself.

I recently installed an add-on for ingesting CAS logs from our exchange servers on a Heavy Forwarder.
Ref: Splunk Add-on for Microsoft Exchange - https://splunkbase.splunk.com/app/3225/

The splunk universal forwarder version on the exchange servers are currently 8.x and the Splunk version on the HF is version 9.

The logs were not coming thru, and we identified this was probably due to version 9 now having authentication features to communicate with UF.

So I temporarily modified the "authKeyStanza" in the restmap.conf file to "requireAuthentication = false"
Restarted splunk

Recreated server class via web console in forwader management.

Immediately started seeing quite a few events.

After getting proof of the events coming into the Search Heads also, I went back and change the "authKeyStanza" in the restmap.conf file to "requireAuthentication = true" and Restarted splunk again

Coming to MY QUESTION NOW is, will reverting my authentication value to true; STOP the ingestion of those logs?

I have not been able to view any error in splunkd.log, but I dont even see latest events.

How to ingest CAS Logs from servers running old Universal Forwarder version into Heavy Forwarder with version 9?

heavy forwarder

universal forwarder

Enterprise Security Content Update (ESCU) | New Releases

Index This | Divide 100 by half. What do you get?

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!