Getting Data In

not seeing data in forwarder

hwkhan786
New Member

We have a Threatarmor appliance, it sends its logs in CEF format. I have a configured a Universal Forwarder on the same network as this appliance, (UF installed on Linux) from the Splunk ES I can query this UF and I see a number of events as follows

10-18-2019 09:02:10.955 +0100 INFO Metrics - group=tcpin_connections, x.x.x.x1:39658:9997, connectionType=cooked, sourcePort=39658, sourceHost=x.x.x.x1, sourceIp=x.x.x.x1, destPort=9997, kb=0.00, _tcp_Bps=0.00, _tcp_KBps=0.00, _tcp_avg_thruput=0.51, _tcp_Kprocessed=34245.94, _tcp_eps=0.00, _process_time_ms=0, evt_misc_kBps=0.00, evt_raw_kBps=0.00, evt_fields_kBps=0.00, evt_fn_kBps=0.00, evt_fv_kBps=0.00, evt_fn_str_kBps=0.00, evt_fn_meta_dyn_kBps=0.00, evt_fn_meta_predef_kBps=0.00, evt_fn_meta_str_kBps=0.00, evt_fv_num_kBps=0.00, evt_fv_str_kBps=0.00, evt_fv_predef_kBps=0.00, evt_fv_offlen_kBps=0.00, evt_fv_fp_kBps=0.00, build=bd63e13aa157, version=7.3.1, os=Linux, arch=x86_64, hostname=xxxxxxxxxx, guid=86A46F88-EA2A-4392-B3E9-E89FC9BC46C1, fwdType=uf, ssl=false, lastIndexer=x.x.x.x2:9997, ack=false

So as you can see the ES (x.x.x.x2) is picking up data from the UF (x.x.x.x1). I have configured the following .conf files on the forwarder

Inputs.conf
[monitor:///xxxxx//csv/logs]
host = xxxxx
sourcetype = threatarmor
index = threatarmor_csv

outputs.conf
[tcpout:group1]
server=x.x.x.x2:9997

[tcpout:group2]
server=x.x.x.x2:9997

So the problem is, while I can see system logs from the forwarder, I cannot see (unless im running the wrong searches) the logs from the threatarmor appliance, which should be logs in CEF format.

Please could you tell me what I am doing incorrectly here? The Threatarmor is an appliance so we are unable to install any third party software i.e. Splunk UF.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...