SPLK-CL-000175 - Splunk Enterprise forwarders must be configured with Indexer Acknowledgement enabled.

Information

To prevent the loss of data during transmission, a handshake acknowledgement between the sender and the recipient may need configured.

Solution

If the server is not a forwarder, this check is N/A.

In the Splunk installation folder, edit the following file in the $SPLUNK_HOME/etc/system/local folder:

outputs.conf

Locate the section similar to:

[tcpout:group1]

Note that group1 may be named differently depending on how tcpout was configured.

Add the following line under the group stanza above:

useACK=true

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Splunk_Enterprise_7-x_for_Windows_V3R1_STIG.zip

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6b., CAT|III, CCI|CCI-000366, Rule-ID|SV-221936r961863_rule, STIG-ID|SPLK-CL-000175, STIG-Legacy|SV-111327, STIG-Legacy|V-102377, Vuln-ID|V-221936

Plugin: Windows

Control ID: 0eb94eb5e40ae33266aed7900a9d512124031d7a55725e939459388085446a12