Hi, We wanted to integrate logs from Splunk system into Elasticsearch via Logstash. Following are the steps we used to do the same:
- Create a Network Load Balancer (NLB) URL with Logstash as backend
- Configure Splunk forwarder to push the data to NLB URL over port 443
- NLB is configured to forward all receiving logs to target Logstash server over port 5044.
- Logstash is configured to receive all traffic over port 5044 and push to Elasticsearch Index.
Traffic is flowing from Splunk to NLB and to Logstash. But receiving only junk meaningless messages. EX: message: 'gzip, compressed', message:close, message:443, message: NLB Health Check, etc. multiple times.
Is it possible to achieve this solution? Does Splunk forwarded data have to be decrypted? If yes, which plugin can help doing the same?