Getting Data In

Can a universal forwarder work without connectivity to a deployment server?

eastlandm
New Member

We have universal forwarders planned for the DMZ. Firewall admins want to limit connectivity to as few ports as possible.

I know the UF needs to connect to the indexer (TCP-9997), but can it live without communicating to the deployment server (TCP-8089)?

No apps are required, and I plan on just configuring inputs.conf directly as only logfile & perfmon counters are required.

So questions needing answers:
1. Will the UF start up and operate if it can't communicate with the deployment server?
2. Is there any configuration required to be done to allow UF to operate without access to a deployment server?

I've looked at an intermediate forwarder, but f/w admins don't like dmz hosts talking to each other, so that option is out.

0 Karma
1 Solution

esix_splunk
Splunk Employee
Splunk Employee

You UF / HF can work without a deployment server. In your case, since these are in a DMZ without connectivity to the deployment server (DS), you should just configure these without a DS. Then configure your inputs manually and distribute them to these hosts.

Even if they did connect to a DS, and then loose connectivity, they will still function. The only issues arise when they reconnect to the DS, if apps are not the same, the client will redeploy and download all apps again.

So;
1) Yes
2) No

View solution in original post

esix_splunk
Splunk Employee
Splunk Employee

You UF / HF can work without a deployment server. In your case, since these are in a DMZ without connectivity to the deployment server (DS), you should just configure these without a DS. Then configure your inputs manually and distribute them to these hosts.

Even if they did connect to a DS, and then loose connectivity, they will still function. The only issues arise when they reconnect to the DS, if apps are not the same, the client will redeploy and download all apps again.

So;
1) Yes
2) No

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...