Client is migrating/upgrading from PIM to PAM and wants to use the event forwarder that was already configured in PIM 12.8
Event forwarder logs show
2023-02-27T16:45:03.956190180Z 2023-02-27 16:45:03.955 | ERROR | Listener-2 | com.broadcom.symantec.pam.eventForwarder.services.HandleMessageImpl:138 | Exception while processing event message:
2023-02-27T16:45:03.956211556Z org.apache.logging.log4j.core.appender.AppenderLoggingException: Error writing to TCP:10.XXXXX:514 socket not available
.[ACMQ INFORMATION]: ACMQ_Init : Connecting to Server URL = failover:(ssl://10.188.177.31:61616)?maxReconnectAttempts=5. Successfully connected to the Distribution Server ssl://10.XXXXXXX:61616
[ACMQ INFORMATION]: ACMQ_Init : Successfully connected to the Distribution Server ssl://10.xxxxxx:61616 with user = +reportagent
.Schedule parameter: 01:00@Sun,Mon,Tue,Wed,Thu,Fri,Sat
7 days parsed
Local Time: Wed Feb 1 17:35:32 2023
STATUS: Waiting for next report generation. Time: 01:00 Thu
Wait parameters: days = 1, hours = -16, minutes = -35
Sleep Time: 26700...
Set message expiration time 26400 seconds
[ACMQ INTERNAL ERROR]: acmq_MsgSend failed on line: 705 with error: 'User +reportagent is not authorized to write to: queue://queue/snapshots'. Additional Info: Server = ssl://10.xxxxxxxxxxx:61616; Queue = queue/snapshots. ERROR: Failed to send a message to the Message Queue, rv = -1: n/a
***Error: failed to send acmq message: ERROR: Failed to send a message to the Message Queue, rv = %d: %s
[ACMQ INFORMATION]: ACMQ_Terminate : Terminate connection to Distribution Server
.Failed to send report (seosdb)!
ERROR: do_report failed.
Preparing Policy Model list
No Policy Model found
STATUS: ReportAgent terminated.
CA PAMSC Report Agent goes down.
Release : 4.1.1
At this time the event forwarder service only supports TCP and cannot be set to use UDP
After changing the splunk receiving service to listen over tcp on the same port all messages were sent to the splunk server