I have a set up a single-node test instance of Splunk to try and ingest zScaler LSS (not NSS) logs via a TCP input. However, it is not ingesting any data, despite being able to see traffic via TCPDump on that port
I have installed the latest zScaler Splunk App (v2.0.7) and the zScaler Technical Add-on (v3.1.2)
[root@ip-10-127-0-113 apps]# ls | grep scaler
TA-Zscaler_CIM
zscalersplunkapp
via the WebUI, I have set up a TCP input on port 10000, set the sourcetype, app and index options.
I have checked to make sure that Splunk is listening on TCP/10000 and can see that it is
[root@ip-10-127-0-113 apps]# netstat -antp | grep 10000
tcp 0 0 0.0.0.0:10000 0.0.0.0:* LISTEN 7992/splunkd
tcp 0 0 10.127.0.113:10000 x.x.x.x:38392 SYN_RECV -
tcp 0 0 10.127.0.113:10000 x.x.x.x:51586 SYN_RECV -
tcp 0 0 10.127.0.113:10000 x.x.x.x:53844 SYN_RECV -
I can't see any errors in the _internal index (although I could be searching wrong). I'm using the below search:
index=_internal "err*"
The only errors I can see relate to the 'summarize' command.
Any pointers would be really appreciated.
Many thanks,