How to ingest CAS Logs from servers running old Un...

nadeemahmed · ‎08-23-2022

Hi all,

I am pretty new to splunk myself.

I recently installed an add-on for ingesting CAS logs from our exchange servers on a Heavy Forwarder.
Ref: Splunk Add-on for Microsoft Exchange - https://splunkbase.splunk.com/app/3225/

The splunk universal forwarder version on the exchange servers are currently 8.x and the Splunk version on the HF is version 9.

The logs were not coming thru, and we identified this was probably due to version 9 now having authentication features to communicate with UF.

So I temporarily modified the "authKeyStanza" in the restmap.conf file to "requireAuthentication = false"
Restarted splunk

Recreated server class via web console in forwader management.

Immediately started seeing quite a few events.

After getting proof of the events coming into the Search Heads also, I went back and change the "authKeyStanza" in the restmap.conf file to "requireAuthentication = true" and Restarted splunk again

Coming to MY QUESTION NOW is, will reverting my authentication value to true; STOP the ingestion of those logs?

I have not been able to view any error in splunkd.log, but I dont even see latest events.

How to ingest CAS Logs from servers running old Universal Forwarder version into Heavy Forwarder with version 9?

heavy forwarder

universal forwarder

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Observability Simplified: Combining User Experience, Application Performance & ...

Event Series May & June: From Network Visibility to Service Intelligence

Join the Conversation