Hi,
I have a feed of events coming into my Splunk Heavy Forwarder, but they aren't being indexed, and I'm baffled. Here's my inputs.conf:
[tcp://:1918]
index = istr_security
sourcetype = bcoat_proxysg
disabled = false
[tcp://:1919]
index = istr_security
sourcetype = bcoat_proxysg_plug
disabled = false
`
[tcp://:1920]
connection_host = dns
source = tcp:1920
index = istr_security
sourcetype = bcoat_proxysg_socks
disabled = false
1918 works. It's been in place for a long time. We are now sending 1920, but it's not showing up. I checked future events, and looked in the logs for any errors, but can't find any. I do see these messages, but they seem to be telling me that Splunk is now reading my port. I did a packet capture, and data is arriving.
10-26-2016 13:51:47.027 -0400 INFO TcpInputConfig - IPv4 port 1920 is reserved for raw input
10-26-2016 13:51:47.027 -0400 INFO TcpInputConfig - IPv4 port 1920 will negotiate new-s2s protocol
10-26-2016 13:51:47.027 -0400 INFO TcpInputProc - Creating raw Acceptor for IPv4 port 1920 with Non-SSL
↧