Re: How to send data to indexer and pulling config...

brdr · ‎11-10-2016

We will be installing the forwarder onto our domain controllers in DMZ.

Question, can we hardwire a port on the DC where the forwarder is installed to connect to :

deployment server on 8089
indexers on 9997

Heff · ‎11-10-2016

Yes,

When you install the forwarder just specify the DS server & Port like this:

msiexec.exe /i Splunk.msi DEPLOYMENT_SERVER=host:port /quiet

Then you should create an outputs App on your DS that will push just an outputs.conf to all your Forwarders.

Make sense?
http://docs.splunk.com/Documentation/Splunk/6.5.0/Installation/InstallonWindowsviathecommandline

brdr · ‎11-10-2016

makes sense. however, if I want to lock down a port on the forwarder sitting in DMZ to use a port to communicate to 8089 on deployment server and to communicate to 9997 on indexers how do I do that? Where do I specify the port on the forwarder to communicate to DS and IDX?

Heff · ‎11-10-2016

the deploymentclient.conf will have the server:port in it and the outputs.conf will have the indexer server:port in it too. Additionally the indexer and DS are only listening on those same ports.

http://docs.splunk.com/Documentation/Splunk/6.5.0/Admin/Deploymentclientconf
http://docs.splunk.com/Documentation/Splunk/6.5.0/Admin/Outputsconf

How to send data to indexer and pulling config data from deployment server using forwarder ports?

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

Splunk APM: New Product Features + Community Office Hours Recap!