Getting Data In

How to ingest CAS Logs from servers running old Universal Forwarder version into Heavy Forwarder with version 9?

nadeemahmed
New Member

Hi all,

I am pretty new to splunk myself.

I recently installed an add-on for ingesting CAS logs from our exchange servers on a Heavy Forwarder.
Ref: Splunk Add-on for Microsoft Exchange - https://splunkbase.splunk.com/app/3225/

The splunk universal forwarder version on the exchange servers are currently 8.x and the Splunk version on the HF is version 9. 

The logs were not coming thru, and we identified this was probably due to version 9 now having authentication features to communicate with UF. 

So I temporarily modified the "authKeyStanza" in the restmap.conf file to "requireAuthentication = false"
Restarted splunk 

Recreated server class via web console in forwader management.

Immediately started seeing quite a few events. 

After getting proof of the events coming into the Search Heads also, I went back and change the "authKeyStanza" in the restmap.conf file to "requireAuthentication = true" and Restarted splunk again

Coming to MY QUESTION NOW is, will reverting my authentication value to true; STOP the ingestion of those logs? 

I have not been able to view any error in splunkd.log, but I dont even see latest events. 

Labels (2)
0 Karma
Get Updates on the Splunk Community!

New Splunk Observability innovations: Deeper visibility and smarter alerting to ...

You asked, we delivered. Splunk Observability Cloud has several new innovations giving you deeper visibility ...

Synthetic Monitoring: Not your Grandma’s Polyester! Tech Talk: DevOps Edition

Register today and join TekStream on Tuesday, February 28 at 11am PT/2pm ET for a demonstration of Splunk ...

Instrumenting Java Websocket Messaging

Instrumenting Java Websocket MessagingThis article is a code-based discussion of passing OpenTelemetry trace ...