All Apps and Add-ons

STREAM in DMZ with Intermediate Forwarder

dokaas_2
Path Finder

In our DMZ we have UFs installed on Windows/Linux hosts.  They forward events to an intermediate heavy forwarder in the DMZ w/doubles as a deployment server and Stream app server.  I've pushed out the Splunk_TA_stream to the UFs with the correct intermediate heavy forwarder as the Stream server; however, I'm not seeing any of the UFs.  I suspect its due to restrictions on the firewall between the different DMZ zones.

What ports need to be open between the UFs Splunk_TA_stream and the Splunk stream server?  I also assume  that once it's configure there won't be an issue with routing through an intermediate relay heavy forwarder..Right?  And finally, is there a way to manually configure the Splunk_TA_stream add-on and not use the Splunk Stream app?

Labels (2)
0 Karma
1 Solution

scelikok
Champion

Hi @dokaas_2,

You can try below setup for manual option. I didn't set stream_app_location in order to prevent confusion config.

inputs.conf
[streamfwd://streamfwd]
stream_forwarder_id = 
disabled = 0

streamfwd.conf
[streamfwd]
configTemplateName = template_name

* Create a template folder in Splunk_TA_stream/configs like below;
mkdir configs/custom_template
mkdir configs/custom_template/template_name
* Put your template file here, you can copy one from Splunk_TA_stream/configs folder and edit for your case. You should check index setting inside template.

If you make these settings and send to UF,  you should start getting data. 

Since UF will not connect to Stream app, it will not show up on Forwarder Groups. Some dashboards are using internal log, so will show some metrics.

If this reply helps you an upvote is appreciated.

View solution in original post

0 Karma

scelikok
Champion

Hi @dokaas_2,

You can try below setup for manual option. I didn't set stream_app_location in order to prevent confusion config.

inputs.conf
[streamfwd://streamfwd]
stream_forwarder_id = 
disabled = 0

streamfwd.conf
[streamfwd]
configTemplateName = template_name

* Create a template folder in Splunk_TA_stream/configs like below;
mkdir configs/custom_template
mkdir configs/custom_template/template_name
* Put your template file here, you can copy one from Splunk_TA_stream/configs folder and edit for your case. You should check index setting inside template.

If you make these settings and send to UF,  you should start getting data. 

Since UF will not connect to Stream app, it will not show up on Forwarder Groups. Some dashboards are using internal log, so will show some metrics.

If this reply helps you an upvote is appreciated.

View solution in original post

0 Karma

scelikok
Champion

Hi @dokaas_2,

Stream App will listen 8000 by default if you didn't change it. You can confirm in inside your inputs.conf on UF configs ;

inputs.conf

[streamfwd://streamfwd]
splunk_stream_app_location = https://stream_server:8000/en-us/custom/splunk_app_stream/

You should allow all UFs to reach HF on that port (8000 TCP) only.

Although there is a kind of hack to configure Splunk_TA_stream add on but it is not easy to manage, also in that case you lost monitoring ability of the stream service, that is why it is best to use Stream App for configuration and also monitoring.

If this reply helps you an upvote is appreciated.
0 Karma

dokaas_2
Path Finder

Thanks for the reply.  I got the splunk_stream_app_location correct (just to be clear for others, the 8000 is the default port used by Splunk web.  If one changes the web port, the app location should match -- port 8443 for me).

My concern with opening up port 8443 in the DMZ, is well, it's the DMZ and not fully trusted.  Do you have any references for the manual option.  Thought I'd just give that a try even if I miss the monitoring or would it show up in my internal Stream app?

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!