Utilize on-prem Splunk Heavy Forwarder with Cisco ...

parthbhawsar · ‎06-13-2025

Hello,

I have been trying to configure this application on one of our on-prem Heavy forwarder to be able to ingest our FMC logs to our Splunk Cloud instance. I have so far been able to install the latest version of the app on Heavy Forwarder and configure the FMC section via estreamer configuration and was able to save it. I have also created the index both on HF and Splunk Cloud instance. However, I don't seem to be getting the logs into the cloud instance through that source. I am trying to find out what additional steps are needed to be able to make it work. Hopefully, if someone has had similar issue and were able to fix it or know how to resolve it then please let me know.

#ciscosecuritycloud

Thanks in advance!

Regards,

Parth

kiran_panchavat · ‎06-15-2025

@parthbhawsar

We have recently configured the Cisco FMC and successfully integrated it with Splunk. Could you please check the error you are encountering in Splunk so that I can assist you further? If you continue to face any issues, I would recommend reaching out to the Cisco TAC team for additional support.

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!

parthbhawsar · ‎06-17-2025

I have configured the Cisco Security Cloud app on the HF because our FMC is not allowed to have any outbound access. As far as the configuration is concerned, I was able to import the cert from FMC and save the configuration in the Cisco Security Cloud app. I also created the index on HF as well as cloud instance. But, I don't see any logs from that source into the cloud. I checked the internal logs for the HF and I don't see any errors related to this.

I am adding the screenshot from the app configuration on the HF. It does not show the status as "Connected"

I tried opening a Cisco TAC Case, but as soon as I select the product category to Splunk, it asks me to open a ticket with Splunk support. So, I have been trying to figure out how to contact Cisco Support for the app add-on.

FYI additional info, I also have the Cisco Security Cloud app on the cloud instance, which I am using for integration with another Cisco cloud product which seems to be working fine.

Thank you!

Parth

livehybrid · ‎06-14-2025

Hi @parthbhawsar

Have you been able to confirm that HF is sending all its events to Splunk Cloud? ie Have you installed the UF app from your Splunk Cloud instance and been able to see the HF's _internal logs in Splunk Cloud?

If so are you able to see any error logs in _internal in relation to the Cisco app? For example:

index=_internal "error" ("cisco" OR "fmc")

🌟 Did this answer help you? If so, please consider:

Adding karma to show it was useful
Marking it as the solution if it resolved your issue
Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

parthbhawsar · ‎06-17-2025

@livehybrid I tried the query that you suggested to check internal logs for my HF and tweaked key words to see anything related to FMC/Cisco/estreamer. But, it does not show any error logs.

PickleRick · ‎06-13-2025

1. Be a bit more precise on how you defined the HF

2. You don't need an index on the HF.

Utilize on-prem Splunk Heavy Forwarder with Cisco Security Cloud for FMC logs into Splunk Cloud instance

heavy forwarder

Can’t make it to .conf25? Join us online!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Are you a member of the Splunk Community?