Getting Data In

Connecting Universal Forwarder to Heavy Forwarder Issue?

DanAlexander
Path Finder

Hello Community,

I am having issues connecting my Universal Forwarder with a Heavy Forwarder.

I have the following set up: UF-->HF-->IDx

I can see the logs from HF to IDx, but not sure why I cannot see logs from UF-->HF

The connection HF-->IDx is [splunktcp-ssl] whereas the connection UF-->HF is [tcpout]

My question is how to troubleshoot the broken connection? I read the UF logs but still cannot the issue.

Any help much appreciated.

Thank you All!

0 Karma
1 Solution

gcusello
Esteemed Legend

Hi @DanAlexander ,

yes you can use the same connection mechanism for UF->HF and HF->IDX because it's the same thing.

You can use SSL in both of them or not, as you like.

About the use of the correct password, it's usually assured by the way to deploy configurations: if you use a Deployment Server you're sure to deploy the correct password.

for m ore infos see at https://docs.splunk.com/Documentation/Splunk/9.0.4/Security/AboutsecuringyourSplunkconfigurationwith... and following pages.

About certificates, you can use your own certificates (if you have) or the Splunk auto generated ones, the process is described in the above link.

Ciao.

Giuseppe

View solution in original post

DanAlexander
Path Finder

Hi @gcusello ,

Thanks for the reply.

I wanted to ask, may I use the same connection mechanism of the indexers (I have 3 of them) [splunktcp-ssl] talking to the HF for the UF-->HF?

The UFs can successfully talk to the indexers using [tcpout] and I have [splunktcp-ssl] on the IDx

How can I make sure the connecting nodes using the correct password/certificates for the SSL connection. Any link helping with explanation on how to properly set up [splunktcp-ssl] will be really helpful.

Where are those CA obtained from? I am not too familiar with the process... does this need to be paid for or is it included in the license I am paying for.

Thank you!

0 Karma

gcusello
Esteemed Legend

Hi @DanAlexander ,

yes you can use the same connection mechanism for UF->HF and HF->IDX because it's the same thing.

You can use SSL in both of them or not, as you like.

About the use of the correct password, it's usually assured by the way to deploy configurations: if you use a Deployment Server you're sure to deploy the correct password.

for m ore infos see at https://docs.splunk.com/Documentation/Splunk/9.0.4/Security/AboutsecuringyourSplunkconfigurationwith... and following pages.

About certificates, you can use your own certificates (if you have) or the Splunk auto generated ones, the process is described in the above link.

Ciao.

Giuseppe

DanAlexander
Path Finder

Hi @gcusello

Your time is much appreciated!

Thank you very much, I am sure I can manage it after your feedback.

Best regards,

Dan

0 Karma

gcusello
Esteemed Legend

Hi @DanAlexander,

at first check if you enabled receiving in the HF, and if you correctly configured your UF to send logs to the HF.

then, if you're using ssl, check password and certificate.

You can throubleshoot connection between UF and HF using telnet on the UF.

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

Observability Newsletter Highlights | March 2023

 March 2023 | Check out the latest and greatestSplunk APM's New Tag Filter ExperienceSplunk APM has updated ...

Security Newsletter Updates | March 2023

 March 2023 | Check out the latest and greatestUnify Your Security Operations with Splunk Mission Control The ...