Hi kfalconer,

My first port of call would be to consult your firewall administrators to see whether a rule could be created specifically to allow data out. Splunk can usually address any security concerns that FW admins would have, and as they have a fairly simple comms matrix, (TCP 8089, 9997) it can be locked down. An intermediary forwarder may even be used so that comms only ever originates from one host to simplify matter even more.

I recently had a deployment where the corporate policy did not allow the installation of a Universal Forwarder on some servers, AND data could only be transmitted within a certain window. As a Splunk guy, I can tell you that this was not my idea of fun...

ANYWAY, we managed to get around this by writing custom scripts that would be scheduled to run daily at 2AM, extract Windows event logs for the previous 24 hours, and write them to a shared directory (on a different server) that did have a Universal Forwarder on it to pick up the events and send them to the Indexer.

The end result is that they now have 'Splunk for Active Directory' installed and operational... but only with data for the previous day (they understood this would be the case), and there was a bit of rewrite to get the app working... which I wouldn't recommend if you value your sanity 🙂

TL;DR: If your firewall admins can't help, you might want to look at the following:

• Custom scripts to collect data on a scheduled basis
• Drop the events on a shared directory that can send data to the indexer
• Have a Universal Forwarder on that server send the data to the Indexer as it's received,

PS. If your firewall admins can't help... then they're probably not going to like you taking this approach either 😛