I am having trouble forwarding CiscoESA (authentication) logs from HF to Indexers.
Here are the steps taken to configure it:
- Installed Splunk Add-on for Cisco ESA on HF & SH.
- Copied "Authentication logs" from ESA to HF via SCP
- Created following inputs.conf file under Splunk_TA_cisco-esa folder on HF:
[monitor:///opt/splunk/etc/apps/Splunk_TA_cisco-esa/data/authentication/authentication.@20200325T075236.s] disabled = false index = ciscoesa sourcetype = cisco:esa:authentication
Not sure if I missed anything on HF as Windows events are being forwarder from same HF to Indexer without any issue.
Can anyone please suggest what could be the issue.
Yes there are multiple logs, but I have selected one for now to verify if the events are being forwarded.
Splunk List forward-server command list the following indexers (I have renamed the indexer server name):
Configured but inactive forwards:
looks good! Now check that the logs are arriving on the indexer:
check that your role can access the ciscoesa index:
index=ciscoesa earliest=-10y latest=now
This has been resolved. The issue was with my search as I used the range of last 24 hours but I forgot the logs are older than 24 hours. I could find the events after changing Time Duration to "All Time".
Thanks again for your help!