https://community.splunk.com/t5/Getting-Data-In/HowTo-pull-logs-into-trusted-network-from-a-forwarder-located-in/m-p/23156#M3629 <P>Hello, <BR /> I search a way to get realtime logs from DMZ-Zone into a Trusted Network, where the Indexer is located. <BR /> A Forwarder located in DMZ collects all logs, but this Forwarder can only send (push) logs to the trusted network. Is there a way to change the direction of the communication to pull these logs from the Forwarder?</P> <P>I can pull all Logfiles directly from the log-source, but this is not in realtime. </P> <P>Any suggestions on this ?</P> <P>Thanks, <BR /> Torsten</P> Mon, 05 Nov 2012 10:21:32 GMT tjensen 2012-11-05T10:21:32Z https://community.splunk.com/t5/Getting-Data-In/HowTo-pull-logs-into-trusted-network-from-a-forwarder-located-in/m-p/23156#M3629 <P>Hello, <BR /> I search a way to get realtime logs from DMZ-Zone into a Trusted Network, where the Indexer is located. <BR /> A Forwarder located in DMZ collects all logs, but this Forwarder can only send (push) logs to the trusted network. Is there a way to change the direction of the communication to pull these logs from the Forwarder?</P> <P>I can pull all Logfiles directly from the log-source, but this is not in realtime. </P> <P>Any suggestions on this ?</P> <P>Thanks, <BR /> Torsten</P> Mon, 05 Nov 2012 10:21:32 GMT https://community.splunk.com/t5/Getting-Data-In/HowTo-pull-logs-into-trusted-network-from-a-forwarder-located-in/m-p/23156#M3629 tjensen 2012-11-05T10:21:32Z https://community.splunk.com/t5/Getting-Data-In/HowTo-pull-logs-into-trusted-network-from-a-forwarder-located-in/m-p/23157#M3630 <P>I dont know if Splunk indexer-forwarder supports the feature you need, but a workaround might be to to use something like stunnel or OpenSSH, to create a tunnel that is "listening" on the forwarder, and "forwarding" to the indexer. Your forwarder would then be configured to forward to localhost:port.</P> <P>With SSH this would be called reverse tunnel and would be something like:</P> <UL> <LI>On the indexer: ssh -R 6514:localhost:6514 username@forwarder</LI> </UL> <P>Now on the forwarder, if you connect to localhost:6514, you would be connected to the indexer:6514</P> Mon, 05 Nov 2012 13:39:41 GMT https://community.splunk.com/t5/Getting-Data-In/HowTo-pull-logs-into-trusted-network-from-a-forwarder-located-in/m-p/23157#M3630 lrhazi 2012-11-05T13:39:41Z https://community.splunk.com/t5/Getting-Data-In/HowTo-pull-logs-into-trusted-network-from-a-forwarder-located-in/m-p/23158#M3631 <P>What you are trying to accomplish does not exist in Splunk nativly, but there is always a method. You could use rsync with following switches --stats -rltgoDzrv --append-verify to copy the data to Trusted Network Forward and setup a Monitor on that directory.</P> <P><CODE></CODE><PRE><CODE><BR /> rsync --stats -rltgoDzrv --append-verify -e "ssh -l ssh-user" rsync:://targethost2/module/src/ /tmp/secure_data/<BR /> </CODE></PRE></P> <P>Or Possibly a scripted input using ssh and tail.</P> Mon, 05 Nov 2012 17:44:50 GMT https://community.splunk.com/t5/Getting-Data-In/HowTo-pull-logs-into-trusted-network-from-a-forwarder-located-in/m-p/23158#M3631 bmacias84 2012-11-05T17:44:50Z https://community.splunk.com/t5/Getting-Data-In/HowTo-pull-logs-into-trusted-network-from-a-forwarder-located-in/m-p/23159#M3632 <P>Thanks for this feedback. We'll try it like this way.</P> Tue, 06 Nov 2012 07:44:57 GMT https://community.splunk.com/t5/Getting-Data-In/HowTo-pull-logs-into-trusted-network-from-a-forwarder-located-in/m-p/23159#M3632 tjensen 2012-11-06T07:44:57Z https://community.splunk.com/t5/Getting-Data-In/HowTo-pull-logs-into-trusted-network-from-a-forwarder-located-in/m-p/23160#M3633 <P>Definately the best way to go. I use this on our solution where we have logs that is on a vendor system.</P> Tue, 06 Nov 2012 08:08:27 GMT https://community.splunk.com/t5/Getting-Data-In/HowTo-pull-logs-into-trusted-network-from-a-forwarder-located-in/m-p/23160#M3633 vial8 2012-11-06T08:08:27Z