Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is there any log file maintained for UseAck activity?

Campbell04
New Member
‎06-14-2018 04:18 PM

Our IT auditors are asking if there is a method/means to view the useACK activity for completeness.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MuS
SplunkTrust
SplunkTrust
‎06-14-2018 06:22 PM

Hi Campbell04,

Yes, and No.
By default you will only get a message if the universal forwarder is sending events again.

BUT, one can increase the logging for any tcpout* channels which would give you the messages you are after, BUT (yes, another but) this will be a lot of additional events and therefore network traffic).

Hope this helps ...

cheers, MuS

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

MuS
SplunkTrust
SplunkTrust
‎06-14-2018 06:22 PM

Hi Campbell04,

Yes, and No.
By default you will only get a message if the universal forwarder is sending events again.

BUT, one can increase the logging for any tcpout* channels which would give you the messages you are after, BUT (yes, another but) this will be a lot of additional events and therefore network traffic).

Hope this helps ...

cheers, MuS

0 Karma
Reply
Solved! Jump to solution

Campbell04
New Member
‎06-14-2018 07:42 PM

Thanks. Where would you see these messages if the tcpout were increased? That is what I'm after.

0 Karma
Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎06-17-2018 11:38 AM

Hi Campbell04,

the universal forwarder will log a running number for each event in splunkd.log or index=_internal, but here are your next two problems : this running number has no direct link to the event (one might get this information by turning on more debug logging on all instances), and _internal will only be kept for 30 days be default.

cheers, MuS

0 Karma
Reply
Get Updates on the Splunk Community!

.conf23 Registration is Now Open!

Time to toss the .conf-etti 🎉 —  .conf23 registration is open!   Join us in Las Vegas July 17-20 for ...

Don't wait! Accept the Mission Possible: Splunk Adoption Challenge Now and Win ...

Attention everyone! We have exciting news to share! We are recruiting new members for the Mission Possible: ...

Unify Your SecOps with Splunk Mission Control

In today’s post, I'm excited to share some recent Splunk Mission Control innovations. With Splunk Mission ...