I have 2 servers one as the indexer and the other as a heavy forwarder. I have setup syslog forwarding successfully from heavy forwarder to the indexer.
I now want ironport proxy appliance log to be dumped into the heavy forwarder (via ftp to a folder, and then use input.conf to pickup file from that folder) and then indexed to the indexer.
My question is:
- Is it possible?
- If yes, do I need to apps on the heavy forwarder?
What I have noticed that if I don't have splunk cisco security suite and ironport web proxy apps installed on heavy forwarder, I do not get any data but a blank line. On the other hand if I have above two apps installed on heavy forwarder, I get one step forward. I only get header information from log in the index and no data.
Obviously, both apps are already installed on indexer.
If I setup proxy appliances to send log directly to indexer, it works fine. But, I want the raw data to go to heavy forwarder then index to indexer.