Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to pull data from DMZ Heavy Forwarder?

randqm
Loves-to-Learn Everything
‎02-09-2023 06:11 AM

I want to install HF or UF on our DMZ environment.

The Indexer is on the LAN.

I is not allow to communicate from the DMZ to the LAN .

I need that the logs from the DMZ will be pulled to the Indexer in the LAN (using HF or any other solution).

Please share your insight on how to setup this from your experience .

Thanks in advance.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎02-09-2023 07:02 AM

That's a typical problem because Splunk works mostly on "push" principle - forwarders get their data from various inputs but it's them who connect to the indexers (or intermediate forwarders), not the other way around. Splunk doesn't have a built-in "pull" mode.

So you can either set up a designated intermediate forwarder(s) which will be the only ones allowed to connect to LAN (but I understand that it can be not that easy with some strict traffic policies) or use some external solution to - for example - write events to a file on some host in DMZ. You'd then connect connect from your LAN to this host and read events from those files.

But I don't think there's a ready solution for this.

0 Karma
Reply

randqm
Loves-to-Learn Everything
‎02-09-2023 06:53 AM

But my issue is that any communication from the DMZ to LAN is not allow. ☹️
In the opposite direction it is allowed.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-09-2023 07:02 AM

Hi @randqm,

if no commuminations are alloweb from DMZ to LAN, you haven't ways to send data!

You can secure the connections between machines using SSL and certificates, and define very hard rules for the firewalls, but if DMZ cannot send data to LAN, there isn't any solution!

Ciao.

Giuseppe

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-09-2023 06:33 AM

Hi @randqm,

you have to put one (or better two) UFs or HFs to concentrate all the logs from DMZ or outside (e.g. Cloud Services).

So you have to open only the routes between these HFs or UFs and Indexers.

Ciao.

Giuseppe

0 Karma
Reply

randqm
Loves-to-Learn Everything
‎02-09-2023 06:45 AM

Hi 

Thanks for your response.

Any tips on what configuration and port need to open between the UFs/HFs ?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-09-2023 06:49 AM

Hi @randqm,

the usual ports you're using in your Splunk infrastructure:

  • usually 9997 is used to send data to indexers (monodirectional),
  • 8089 (bidirectional) between UFs (or HFs) and Deployment Server for the configurations.

Ciao.

Giuseppe

 

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...