Hi,
I've downloaded Splunk 7.2.1 deb package, installed it on the linux machine, add a data source (the server that will generate syslog and sand it to splunk), and up to here everything works.
Now i need to forward / redirect / pass ALL the syslog event received to a third party SIEM (in my case it's a McAfee ESM 10.3.2).
I've read the guide about "Forward data to third-party systems" -> Splunk/7.2.1/Forwarding/Forwarddatatothird-partysystemsd
and from the WebGUI of splunk i've done:
-> setting -> forwarder -> configure forwarder -> add a new forwarder
(the URL is: /it-IT/manager/launcher/data/outputs/tcp/server)
From the CLI i have this file:
root@splunkTest:~# more /opt/splunk/etc/system/local/outputs.conf
[tcpout]
defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
server = 172.20.3.97:514
[tcpout-server://172.20.3.97:514]
root@splunkTest:~#
And it's not working.
I can see the comunication with tcpdump:
root@splunkTest:~# tcpdump -i any port 514 -nns 1514
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 1514 bytes
16:49:43.201683 IP 10.162.128.37.42824 > 172.20.3.97.514: Flags [F.], seq 2946406031, ack 629729605, win 229, length 0
16:49:43.202493 IP 10.162.128.37.42832 > 172.20.3.97.514: Flags [S], seq 3373985087, win 29200, options [mss 1460,sackOK,TS val 938692088 ecr 0,nop,wscale 7], length 0
16:49:43.223613 IP 172.20.3.97.514 > 10.162.128.37.42832: Flags [S.], seq 1511232163, ack 3373985088, win 29200, options [mss 1460,nop,wscale 10], length 0
16:49:43.223657 IP 10.162.128.37.42832 > 172.20.3.97.514: Flags [.], ack 1, win 229, length 0
16:49:43.224001 IP 10.162.128.37.42832 > 172.20.3.97.514: Flags [P.], seq 1:401, ack 1, win 229, length 400
16:49:43.246353 IP 172.20.3.97.514 > 10.162.128.37.42832: Flags [.], ack 401, win 30, length 0
16:49:43.246401 IP 10.162.128.37.42832 > 172.20.3.97.514: Flags [P.], seq 401:469, ack 1, win 229, length 68
16:49:43.263551 IP 172.20.3.97.514 > 10.162.128.37.42824: Flags [.], ack 1, win 30, length 0
16:49:43.267205 IP 172.20.3.97.514 > 10.162.128.37.42832: Flags [.], ack 469, win 30, length 0
16:49:43.279484 IP 172.20.3.97.514 > 10.162.128.37.42824: Flags [F.], seq 1, ack 1, win 30, length 0
16:49:43.279565 IP 10.162.128.37.42824 > 172.20.3.97.514: Flags [.], ack 2, win 229, length 0
^C
11 packets captured
11 packets received by filter
0 packets dropped by kernel
root@splunkTest:~#
and i've this error in the Splunk GUI: "TcpOutputProc - Tcpout Processor: The TCP output processor has paused the data flow."
From what i guess i don't have a heavy-forwarder (am i right?) i deployed only the splunk package and started it (which architecture is the default? HF, indexer, forwarder, etc?).
What i'm missing?
... View more