All Apps and Add-ons

Unable to forward Cisco ESA logs from Heavy Forwarder

spodda01da
Explorer

Hello All,

I am having trouble forwarding CiscoESA (authentication) logs from HF to Indexers.

Here are the steps taken to configure it:
- Installed Splunk Add-on for Cisco ESA on HF & SH.
- Copied "Authentication logs" from ESA to HF via SCP
- Created following inputs.conf file under Splunk_TA_cisco-esa folder on HF:

   [monitor:///opt/splunk/etc/apps/Splunk_TA_cisco-esa/data/authentication/authentication.@20200325T075236.s]
   disabled = false
   index = ciscoesa
   sourcetype = cisco:esa:authentication

Not sure if I missed anything on HF as Windows events are being forwarder from same HF to Indexer without any issue.

Can anyone please suggest what could be the issue.

Thanks,

0 Karma
1 Solution

PavelP
Motivator

Hello @spodda01da,

  1. you mention "logs" (multiple) - the monitor stanza point to one single log and not to a folder. Does this particular log exists?
  2. To forward logs from HF to Indexer you need outputs.conf too (or configure forwarding). What does "splunk list forward-server" command show?

View solution in original post

0 Karma

PavelP
Motivator

Hello @spodda01da,

  1. you mention "logs" (multiple) - the monitor stanza point to one single log and not to a folder. Does this particular log exists?
  2. To forward logs from HF to Indexer you need outputs.conf too (or configure forwarding). What does "splunk list forward-server" command show?

View solution in original post

0 Karma

spodda01da
Explorer

Hi @PavelP,

Yes there are multiple logs, but I have selected one for now to verify if the events are being forwarded.

Splunk List forward-server command list the following indexers (I have renamed the indexer server name):

Active forwards:
indexer3.com:9997
Configured but inactive forwards:
indexer1.com:9997
indexer2.com:9997

0 Karma

PavelP
Motivator

Hi @spodda01da,

looks good! Now check that the logs are arriving on the indexer:
index=_internal cisco:esa:authentication

check that your role can access the ciscoesa index:
index=ciscoesa earliest=-10y latest=now

0 Karma

spodda01da
Explorer

Hi @PavelP,

This has been resolved. The issue was with my search as I used the range of last 24 hours but I forgot the logs are older than 24 hours. I could find the events after changing Time Duration to "All Time".

Thanks again for your help!

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!