How do i validate Heavy Forwarder is forwarding lo...

MayurMangoli · ‎11-12-2024

I have a heavy forwarder, where all security devices logs have been pointed to HF, and from HF logs have been forwarded to Indexer, but as we don't have access for Indexer & Search Head.

I want to validate, that configuration done on HF for forwarded the particular types logs has is getting in the Indexer, How do i can verify that all logs are forwarding to indexer.

As can be observed in splunkd.log "TcpOutEloop" it shows the HF is connected to Indexer, where we can validate related to configuration for indexer.

is there any way to validate? My security device logs which are pointed to HF, are forwarding to Indexer.

gcusello · ‎11-13-2024

Hi @MayurMangoli ,

the only way to check if a log was forwarded to an Indexers is, as @richgalloway said. to run a search on the Search head.

You don't have the information of which HF data passed through, but you can see if the original host sent data.

If you think that's interesting to know the hostname of the HF, you could upvote my request in Splunk Ideas, that's "Under Consideration" from Splunk: ideas.splunk.com/EID-l-1731

Ciao.

Giuseppe

isoutamo · ‎11-14-2024

@gcusello have you try to add _meta tag in your HF/UF's inputs.conf and put that information there? I think that this could solve your needs?

gcusello · ‎11-14-2024

Hi @isoutamo ,

yes I usually do it 😉

Ciao.

Giuseppe

richgalloway · ‎11-13-2024

You need access to the search head to confirm the data has been received properly. Coordinate that with your Splunk admin(s)

---
If this reply helps you, Karma would be appreciated.

How do i validate Heavy Forwarder is forwarding logs to Indexer- On Heavy Forwarder

splunk-assist

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?