Not much info on this TA (Add-On). I have it installed on my (Linux) snort sensor with a forwarder that is set to send to my (Windows) index server. It runs once, writes the checkpoint file, and sends the data to my indexer. I see the data from my search head, but only the first time it runs. I can capture the packets and see that it continues to send data, but splunk no longer indexes the input. If I clear the U2 files and checkpoint file, then restart, it works again, but only once. I have also tried sending it to my second index server that is Linux. I've also tried installing the TA on my indexer(s), but no change in the results.
Any guidance would be greatly appreciated.
Thanks
↧