Hello,
I'm missing some logging in Splunk from several DC's. Most likely, the reason behind is that the DC's are generating too much logging the Universal Forwarder (UF) is capable of handling. Setting the UF limit uncapped did not solve the issue. What I'm about to try next is to set useACK at the client site. However I still have some questions.
Can we enable useACK on the same TCP port (default 9997) which is used for non-ACK traffic?
Are there any specific settings which we should apply for DC's generating a lot of logging?
Many Thanks.
Kind regards,
Stefan
↧