×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
omranb
Engager
Member since: ‎05-11-2018
‎11-08-2021
Community Statistics
Posts 1
Solutions 0
Karma Given 2
Karma Received 0
Member Since ‎05-11-2018
Activity Feed
Topics I've Started
View All

zScaler LSS Log Ingestion

by in Getting Data In
‎11-05-2021 08:26 AM
‎11-05-2021 08:26 AM
I have a set up a single-node test instance of Splunk to try and ingest zScaler LSS (not NSS) logs via a TCP input. However, it is not ingesting any data, despite being able to see traffic via TCPDump on that port I have installed the latest zScaler Splunk App (v2.0.7) and the zScaler Technical Add-on (v3.1.2)     [root@ip-10-127-0-113 apps]# ls | grep scaler TA-Zscaler_CIM zscalersplunkapp     via the WebUI, I have set up a TCP input on port 10000, set the sourcetype, app and index options. I have checked to make sure that Splunk is listening on TCP/10000 and can see that it is     [root@ip-10-127-0-113 apps]# netstat -antp | grep 10000 tcp 0 0 0.0.0.0:10000 0.0.0.0:* LISTEN 7992/splunkd tcp 0 0 10.127.0.113:10000 x.x.x.x:38392 SYN_RECV - tcp 0 0 10.127.0.113:10000 x.x.x.x:51586 SYN_RECV - tcp 0 0 10.127.0.113:10000 x.x.x.x:53844 SYN_RECV -     I can't see any errors in the _internal index (although I could be searching wrong). I'm using the below search:     index=_internal "err*"     The only errors I can see relate to the 'summarize' command. Any pointers would be really appreciated. Many thanks,   ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎11-08-2021 06:19 AM
Karma given to
View All