Splunk Enterprise forwarders must be configured with Indexer Acknowledgement enabled.

An XCCDF Rule

Description

<VulnDiscussion>To prevent the loss of data during transmission, a handshake acknowledgement between the sender and the recipient may need configured.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-221936r961863_rule
Severity: Low
References: CCI-000366
Updated: 17 days ago

If the server is not a forwarder, this check is N/A.

In the Splunk installation folder, edit the following file in the $SPLUNK_HOME/etc/system/local folder:

outputs.conf
Locate the section similar to: 

[tcpout:group1]

Note that group1 may be named differently depending on how tcpout was configured.

Add the following line under the group stanza above:

useACK=true

Splunk Enterprise forwarders must be configured with Indexer Acknowledgement enabled.

Description

Remediation - Manual Procedure