Jumbo frames may work, but I have never tried, and it should be supported by all assets the packets go through (the switches, routers, diodes, etc). Some diodes do compliance checks as well on IP packets. It will definitely need testing. For the CEF Add-On, ignore all data model related items. The only thing you want to use the CEF Add-On for is the sending of the actual syslog packets, anything else like CEF or Data Models can be safely ignored. The only thing that matters is the definition of the output destination. ... View more

Hi! The filtering doesn't happen by on the receiver side by default, that's better done on the sending side. The requirement to send an entire index has come up more often, so that's probably worth to document. In props.conf it's easy to filter based on sourcetype, host our source, but not really by index, so if you can't limit yourself to host, source or sourcetype, it may be better to go the CEF Add-On route. This also has the advantage you have more control over what is sent and you can send historical data as well. CEF Add-On can send UDP as well, but if you send large events (like Windows Event Log) you'll run into issues where an event is too big to fit in a single UDP packet. The problem with the CEF Add-On is the configuration of the syslog destination, do that using the GUI, and once you have your config statement okay, then copy that file to your indexers and run index=main | eval _raw="t="._time."|h=".host."|st=".sourcetype."|i=".index."|s=".source."|r="._raw| cefout routing=diode If you run like this you do not need to install the Diode Sender Add-On at all ... View more

Port 9997 will not work, this is the port for the S2S protocol, and since this protocol is TCP based and requires packets to go both ways, this will not work across a diode. You should be using the custom listener port in the receiver app and send data to that from the sender app. ... View more

Hi @djbutor Both the sending and the receiving app need some configuration. First decide whether to use TCP or UDP.I recommend TCP if your diode has support for it, otherwise fall back to UDP. Then configure the sender with the IP address of your diode, check the README.md and instead of the 127.0.0.1 put in the hostname or IP address of the diode and the port you want to use. You may need to configure items on the diode itself, but this will depend on the make and model. Then on the receiving side you need to listen to the specified port number, accept traffic and assign the appropriate sourcetype. To troubleshoot, use tcpdump or wireshark. The entire protocol is cleartext, and easy to read and that will make clear whether or not your are sending and receiving data. ... View more

Hello! I'm the author of the app. Could you please let me know where you are stuck at the moment? Is it on the sending or receiving side? Are you using TCP or UDP as the protocol? (Some diodes do support a TCP simulation but then there's only payload going one way). Do you see traffic in Wireshark/tcpdump? ... View more