Splunk Enterprise forwarders must be configured with Indexer Acknowledgement enabled.

An XCCDF Rule

Description

To prevent the loss of data during transmission, a handshake acknowledgement between the sender and the recipient may need configured.

ID: SV-221936r961863_rule
Version: SPLK-CL-000175
Severity: Low
References: CCI-000366
Updated: 5 days ago

Remediation Templates

If the server is not a forwarder, this check is N/A.

In the Splunk installation folder, edit the following file in the $SPLUNK_HOME/etc/system/local folder:

outputs.conf
Locate the section similar to: 

[tcpout:group1]

Note that group1 may be named differently depending on how tcpout was configured.

Add the following line under the group stanza above:

useACK=true