Getting Data In

not seeing data in forwarder

hwkhan786
New Member

We have a Threatarmor appliance, it sends its logs in CEF format. I have a configured a Universal Forwarder on the same network as this appliance, (UF installed on Linux) from the Splunk ES I can query this UF and I see a number of events as follows

10-18-2019 09:02:10.955 +0100 INFO Metrics - group=tcpin_connections, x.x.x.x1:39658:9997, connectionType=cooked, sourcePort=39658, sourceHost=x.x.x.x1, sourceIp=x.x.x.x1, destPort=9997, kb=0.00, _tcp_Bps=0.00, _tcp_KBps=0.00, _tcp_avg_thruput=0.51, _tcp_Kprocessed=34245.94, _tcp_eps=0.00, _process_time_ms=0, evt_misc_kBps=0.00, evt_raw_kBps=0.00, evt_fields_kBps=0.00, evt_fn_kBps=0.00, evt_fv_kBps=0.00, evt_fn_str_kBps=0.00, evt_fn_meta_dyn_kBps=0.00, evt_fn_meta_predef_kBps=0.00, evt_fn_meta_str_kBps=0.00, evt_fv_num_kBps=0.00, evt_fv_str_kBps=0.00, evt_fv_predef_kBps=0.00, evt_fv_offlen_kBps=0.00, evt_fv_fp_kBps=0.00, build=bd63e13aa157, version=7.3.1, os=Linux, arch=x86_64, hostname=xxxxxxxxxx, guid=86A46F88-EA2A-4392-B3E9-E89FC9BC46C1, fwdType=uf, ssl=false, lastIndexer=x.x.x.x2:9997, ack=false

So as you can see the ES (x.x.x.x2) is picking up data from the UF (x.x.x.x1). I have configured the following .conf files on the forwarder

Inputs.conf
[monitor:///xxxxx//csv/logs]
host = xxxxx
sourcetype = threatarmor
index = threatarmor_csv

outputs.conf
[tcpout:group1]
server=x.x.x.x2:9997

[tcpout:group2]
server=x.x.x.x2:9997

So the problem is, while I can see system logs from the forwarder, I cannot see (unless im running the wrong searches) the logs from the threatarmor appliance, which should be logs in CEF format.

Please could you tell me what I am doing incorrectly here? The Threatarmor is an appliance so we are unable to install any third party software i.e. Splunk UF.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...