- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Re: Unable to forward Cisco ESA logs from Heavy Fo...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello All,
I am having trouble forwarding CiscoESA (authentication) logs from HF to Indexers.
Here are the steps taken to configure it:
- Installed Splunk Add-on for Cisco ESA on HF & SH.
- Copied "Authentication logs" from ESA to HF via SCP
- Created following inputs.conf file under Splunk_TA_cisco-esa folder on HF:
[monitor:///opt/splunk/etc/apps/Splunk_TA_cisco-esa/data/authentication/authentication.@20200325T075236.s]
disabled = false
index = ciscoesa
sourcetype = cisco:esa:authentication
Not sure if I missed anything on HF as Windows events are being forwarder from same HF to Indexer without any issue.
Can anyone please suggest what could be the issue.
Thanks,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @spodda01da,
- you mention "logs" (multiple) - the monitor stanza point to one single log and not to a folder. Does this particular log exists?
- To forward logs from HF to Indexer you need outputs.conf too (or configure forwarding). What does "splunk list forward-server" command show?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @spodda01da,
- you mention "logs" (multiple) - the monitor stanza point to one single log and not to a folder. Does this particular log exists?
- To forward logs from HF to Indexer you need outputs.conf too (or configure forwarding). What does "splunk list forward-server" command show?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @PavelP,
Yes there are multiple logs, but I have selected one for now to verify if the events are being forwarded.
Splunk List forward-server command list the following indexers (I have renamed the indexer server name):
Active forwards:
indexer3.com:9997
Configured but inactive forwards:
indexer1.com:9997
indexer2.com:9997
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @spodda01da,
looks good! Now check that the logs are arriving on the indexer:
index=_internal cisco:esa:authentication
check that your role can access the ciscoesa index:
index=ciscoesa earliest=-10y latest=now
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @PavelP,
This has been resolved. The issue was with my search as I used the range of last 24 hours but I forgot the logs are older than 24 hours. I could find the events after changing Time Duration to "All Time".
Thanks again for your help!
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
