I have a set up a single-node test instance of Splunk to try and ingest zScaler LSS (not NSS) logs via a TCP input. However, it is not ingesting any data, despite being able to see traffic via TCPDump on that port

I have installed the latest zScaler Splunk App (v2.0.7) and the zScaler Technical Add-on (v3.1.2)

[root@ip-10-127-0-113 apps]# ls | grep scaler
TA-Zscaler_CIM
zscalersplunkapp

via the WebUI, I have set up a TCP input on port 10000, set the sourcetype, app and index options.

I have checked to make sure that Splunk is listening on TCP/10000 and can see that it is

[root@ip-10-127-0-113 apps]# netstat -antp | grep 10000
tcp        0      0 0.0.0.0:10000           0.0.0.0:*               LISTEN      7992/splunkd
tcp        0      0 10.127.0.113:10000      x.x.x.x:38392     SYN_RECV    -
tcp        0      0 10.127.0.113:10000      x.x.x.x:51586     SYN_RECV    -
tcp        0      0 10.127.0.113:10000      x.x.x.x:53844     SYN_RECV    -

I can't see any errors in the _internal index (although I could be searching wrong). I'm using the below search:

index=_internal "err*"

The only errors I can see relate to the 'summarize' command.

Any pointers would be really appreciated.

Many thanks,