Getting Data In
Highlighted

not seeing data in forwarder

New Member

We have a Threatarmor appliance, it sends its logs in CEF format. I have a configured a Universal Forwarder on the same network as this appliance, (UF installed on Linux) from the Splunk ES I can query this UF and I see a number of events as follows

10-18-2019 09:02:10.955 +0100 INFO Metrics - group=tcpinconnections, x.x.x.x1:39658:9997, connectionType=cooked, sourcePort=39658, sourceHost=x.x.x.x1, sourceIp=x.x.x.x1, destPort=9997, kb=0.00, _tcpBps=0.00, tcpKBps=0.00, tcpavgthruput=0.51, _tcpKprocessed=34245.94, tcpeps=0.00, processtimems=0, evtmisckBps=0.00, evtrawkBps=0.00, evtfieldskBps=0.00, evtfnkBps=0.00, evtfvkBps=0.00, evtfnstrkBps=0.00, evtfnmetadynkBps=0.00, evtfnmetapredefkBps=0.00, evtfnmetastrkBps=0.00, evtfvnumkBps=0.00, evtfvstrkBps=0.00, evtfvpredefkBps=0.00, evtfvofflenkBps=0.00, evtfvfpkBps=0.00, build=bd63e13aa157, version=7.3.1, os=Linux, arch=x8664, hostname=xxxxxxxxxx, guid=86A46F88-EA2A-4392-B3E9-E89FC9BC46C1, fwdType=uf, ssl=false, lastIndexer=x.x.x.x2:9997, ack=false

So as you can see the ES (x.x.x.x2) is picking up data from the UF (x.x.x.x1). I have configured the following .conf files on the forwarder

Inputs.conf
[monitor:///xxxxx//csv/logs]
host = xxxxx
sourcetype = threatarmor
index = threatarmor_csv

outputs.conf
[tcpout:group1]
server=x.x.x.x2:9997

[tcpout:group2]
server=x.x.x.x2:9997

So the problem is, while I can see system logs from the forwarder, I cannot see (unless im running the wrong searches) the logs from the threatarmor appliance, which should be logs in CEF format.

Please could you tell me what I am doing incorrectly here? The Threatarmor is an appliance so we are unable to install any third party software i.e. Splunk UF.

0 Karma