This is how I got the SUF to send Windows logs to Splunk Enterprise through my data diode. On the SUF side, I modified my \etc\system\local\output.conf by adding this line:
sendCookedData = false
I then changed the server and tcpout-server to my protected diode interface ip and port:
server = 192.168.1.11:8997
[tcpout-server://192.168.1.11:8997]
(Note: You could skip those last two settings if you install the SUF and specify the IP and port in the customized settings.)
On the unprotected diode interface, I send the data to the Splunk Enterprise on non-SUF port (anything other than 9997).
I added a TCP data input for that port and set the source to tcp-raw.
... View more