I have eStreamer setup to forward logs to our Splunk instance; however, I am not receiving any packet data.
In the TA-eStreamer setup I have "Packets?" checked.
In the FMC eStreamer Event Configuration, I have "Intrusion Event Packet Data" checked.
Since this configuration has been in place we have had an IPS event fire, but no packet was forwarded to Splunk. I ran a search for rec_type_simple=PACKET and did not see any results. Any ideas? Thanks.