All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Proxy creation and configuration in Splunk

splunklearner
Communicator
‎03-10-2025 03:41 AM

We are trying to on-board Akamai logs to Splunk. Installed the add-on. Here it is asking for proxy server and proxy host. I am not sure what these means? Our splunk instances are hosted on AWS and instances are refreshed every 45 days due to compliance and these are not exposed to internet (internal). How to create and configure proxy server here? Please guide me

This is the app installed - https://splunkbase.splunk.com/app/4310

Labels (2)
Labels
0 Karma
Reply

livehybrid
Super Champion
‎03-10-2025 05:10 AM

Hi @splunklearner 

Do you have direct connectivity to your Akamai feed from the EC2 instance? If so you shouldnt need to configure a proxy. Please can you post a screenshot or link to where you are looking?

Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards

Will

0 Karma
Reply

kiran_panchavat
Influencer
‎03-10-2025 04:10 AM

@splunklearner 

If you don’t want to manage a proxy server, you could use a NAT Gateway in a public subnet to provide internet access to your private subnet. However, this won’t work directly with the Akamai add-on’s proxy settings, as it expects an HTTP/HTTPS proxy, not a network-layer NAT. Stick with a proxy server like Squid for compatibility.
Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
0 Karma
Reply

kiran_panchavat
Influencer
‎03-10-2025 04:08 AM

@splunklearner 

Since your Splunk instances can’t access the internet directly, you need a proxy server within your AWS environment (or on-premises, if applicable) that can:
 
  • Handle HTTPS traffic (port 443, as Akamai uses secure endpoints).
  • Be accessible from your Splunk instances in the private subnet.
  • Route traffic to Akamai’s servers (e.g., DataStream endpoints or API hosts).
You likely don’t have a proxy server set up yet, so you’ll need to create one.
 
Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
Reply

splunklearner
Communicator
‎03-10-2025 04:42 AM

@kiran_panchavat how and where to create proxy server for this requirement? Please let me know.

0 Karma
Reply

kiran_panchavat
Influencer
‎03-10-2025 05:25 AM

@splunklearner 

To set up a proxy, please contact the Network team, discuss your requirements with them, and proceed accordingly.

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
0 Karma
Reply

kiran_panchavat
Influencer
‎03-10-2025 05:16 AM

@splunklearner 

Step 1: Assess Your AWS Network Architecture
Since your instances are internal, you likely have a Virtual Private Cloud (VPC) with private subnets. To enable outbound internet access:
 
  • Check if you already have a NAT Gateway or NAT Instance in a public subnet within your VPC. These are common AWS solutions for allowing private instances to access the internet.
  • If not, you’ll need to set up a proxy server or coordinate with your network team to provide one.
 
Set Up a Proxy Server in AWS
 
Please check this 
 
 
I suggest reaching out to your Network team to set up a proxy.
Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
0 Karma
Reply

kiran_panchavat
Influencer
‎03-10-2025 05:21 AM

@splunklearner 


You can create your own proxy server using an EC2 instance. Here are the steps:

Launch an EC2 Instance for the Proxy:
 
  • Go to the AWS EC2 console.
  • Launch a new instance (e.g., t2.micro for testing) in a public subnet of your VPC.
  • Use an Amazon Linux 2 AMI (or your preferred OS).
  • Assign a public IP address and ensure it’s in a security group that allows:
    • Inbound traffic on port 3128 (default Squid port) from your Splunk instances’ private subnet CIDR.
    • Outbound traffic to anywhere (0.0.0.0/0) on HTTPS (port 443) to reach Akamai’s API.
  1. Install and Configure Squid:
    • SSH into the EC2 instance.
    • Install Squid:
       
      sudo yum update -ysudo yum install squid -y
    • Edit the Squid configuration file (/etc/squid/squid.conf)
       
      sudo vi /etc/squid/squid.conf
      • Add your Splunk instances’ subnet to allow access (replace 10.0.1.0/24 with your private subnet CIDR):
         
        acl splunk_subnet src 10.0.1.0/24http_access allow splunk_subnet
http_access deny all
http_port 3128
    • Save and exit, then start Squid:
       
      sudo systemctl start squidsudo systemctl enable squid
  2. Update Route Tables:
    • Ensure your Splunk instances’ private subnet route table routes traffic destined for the proxy (e.g., the proxy’s private IP) to the proxy instance. You may not need this if the proxy is in the same VPC and reachable via its private IP.
  3. Record Proxy Details:
    • Proxy Host: The private IP of the EC2 instance (e.g., 10.0.2.50).
    • Proxy Port: 3128 (or whatever you set in squid.conf).
Alternatively, if your organization prefers a managed solution, you could use an AWS NAT Gateway instead of a custom proxy:
 
  • Deploy a NAT Gateway in a public subnet.
  • Update the private subnet route table to route 0.0.0.0/0 to the NAT Gateway.
  • Note: NAT Gateways don’t require a specific “proxy host” configuration in the add-on; they transparently handle outbound traffic. However, the Akamai add-on may still expect a proxy, so a custom proxy might be more compatible.
Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
0 Karma
Reply

kiran_panchavat
Influencer
‎03-10-2025 04:08 AM

@splunklearner 

Proxy Server: A proxy server acts as an intermediary between your Splunk instance and an external service (like Akamai’s log delivery endpoints). It forwards requests from your internal network to the internet and relays responses back. This is critical in your case since your Splunk instances lack direct internet access.

Proxy Host: This is the specific hostname or IP address of the proxy server that Splunk will use to route its outbound traffic.

Since your Splunk instances are internal and not internet-facing, you’ll need a proxy to enable communication with Akamai’s services (e.g., to pull logs via API or receive them via HTTP Event Collector if configured that way). Additionally, with instances refreshing every 45 days, you’ll need a solution that’s consistent across refreshes.
 
Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
Reply
Get Updates on the Splunk Community!

.conf25 Registration is OPEN!

Ready. Set. Splunk! Your favorite Splunk user event is back and better than ever. Get ready for more technical ...

Detecting Cross-Channel Fraud with Splunk

This article is the final installment in our three-part series exploring fraud detection techniques using ...

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...
Top