I have a segmented area of my network that I want to pull logs from a couple of systems. Rather than configure firewall rules for each system's Universal Forwarder to be able to hit my Indexers in the internal network, I have opted to implement a Heavy Forwarder for all systems to talk through. This way, I only have to punch one hole through the firewall, and I'm not directly exposing my Indexers to multiple systems within the DMZ, which is publicly accessible.
Within my Heavy Forwarder, I have configured the inputs.conf to accept splunktcp from 9997 and syslog on UDP 514 (For my network devices in the DMZ). outputs.conf is configured to send everything to my Indexers. web.conf is set to turn the web interface off. From my Search Head, I am able to see the _internal logs from my Heavy Forwarder. So I know it's at least talking to the Indexers.
Now, for my Universal Forwarders, I have set the following files, with the hope that deploymentclient traffic would get routed through to the internal deployment server, and that all log data would also get passed off. So far, I cannot find anything from these hosts in any index.
############################################
$SPLUNKHOME\etc\system\local\deploymentclient.conf
############################################
[deployment-client]
phoneHomeIntervalInSecs = 60
[target-broker:deploymentServer]
targetUri = <ForwarderFQDN>:8089
############################################
$SPLUNKHOME\etc\system\local\outputs.conf
############################################
[tcpout]
server = <ForwarderFQDN>:9997
############################################
I would assume that these two files would at least allow data to be sent to the Indexers. However, nothing is showing up.
As for my deployment client traffic, would I need to open 8089 on my inputs.conf? How would I route the traffic from there?
... View more