Hello,We have an action set that sends events over syslog to Splunk from our MX's using CEF. I see new messages every day in Splunk, but I am unsure why certain security audit events do not get sent to Splunk. Specifically, I noticed this when looking for "Untraceable SSL Sessions: Unsupported Cipher" that show up on the MX alerts. Under that alert I do see the correct action set was supposed to trigger and sent over syslog. These alerts have the "informative" severity on them, not sure if that matters or not. Any help would be appreciated!Thanks!
It can be due to number of reasons. If you have ensured that MX has correct configuration and should send event to Splunk, I would suggest to try and localize the problem to see whether it is due to MX, Splunk server or network. It can be done by capturing this traffic on MX interface by tcpdump utility to the pcap file and analyzing it. If you find specific syslog message in pcap file, it means the MX sends it and need to focus on Splunk server side or network. You can open case to On-Prem Support and we can do this investigation for you.BR,Marat MakhlinOn-Prem Support Teach Lead.