All Apps and Add-ons

STREAM in DMZ with Intermediate Forwarder

dokaas_2
Path Finder

In our DMZ we have UFs installed on Windows/Linux hosts.  They forward events to an intermediate heavy forwarder in the DMZ w/doubles as a deployment server and Stream app server.  I've pushed out the Splunk_TA_stream to the UFs with the correct intermediate heavy forwarder as the Stream server; however, I'm not seeing any of the UFs.  I suspect its due to restrictions on the firewall between the different DMZ zones.

What ports need to be open between the UFs Splunk_TA_stream and the Splunk stream server?  I also assume  that once it's configure there won't be an issue with routing through an intermediate relay heavy forwarder..Right?  And finally, is there a way to manually configure the Splunk_TA_stream add-on and not use the Splunk Stream app?

Labels (2)
0 Karma
1 Solution

scelikok
SplunkTrust
SplunkTrust

Hi @dokaas_2,

You can try below setup for manual option. I didn't set stream_app_location in order to prevent confusion config.

inputs.conf
[streamfwd://streamfwd]
stream_forwarder_id = 
disabled = 0

streamfwd.conf
[streamfwd]
configTemplateName = template_name

* Create a template folder in Splunk_TA_stream/configs like below;
mkdir configs/custom_template
mkdir configs/custom_template/template_name
* Put your template file here, you can copy one from Splunk_TA_stream/configs folder and edit for your case. You should check index setting inside template.

If you make these settings and send to UF,  you should start getting data. 

Since UF will not connect to Stream app, it will not show up on Forwarder Groups. Some dashboards are using internal log, so will show some metrics.

If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

0 Karma

scelikok
SplunkTrust
SplunkTrust

Hi @dokaas_2,

You can try below setup for manual option. I didn't set stream_app_location in order to prevent confusion config.

inputs.conf
[streamfwd://streamfwd]
stream_forwarder_id = 
disabled = 0

streamfwd.conf
[streamfwd]
configTemplateName = template_name

* Create a template folder in Splunk_TA_stream/configs like below;
mkdir configs/custom_template
mkdir configs/custom_template/template_name
* Put your template file here, you can copy one from Splunk_TA_stream/configs folder and edit for your case. You should check index setting inside template.

If you make these settings and send to UF,  you should start getting data. 

Since UF will not connect to Stream app, it will not show up on Forwarder Groups. Some dashboards are using internal log, so will show some metrics.

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma

scelikok
SplunkTrust
SplunkTrust

Hi @dokaas_2,

Stream App will listen 8000 by default if you didn't change it. You can confirm in inside your inputs.conf on UF configs ;

inputs.conf

[streamfwd://streamfwd]
splunk_stream_app_location = https://stream_server:8000/en-us/custom/splunk_app_stream/

You should allow all UFs to reach HF on that port (8000 TCP) only.

Although there is a kind of hack to configure Splunk_TA_stream add on but it is not easy to manage, also in that case you lost monitoring ability of the stream service, that is why it is best to use Stream App for configuration and also monitoring.

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma

dokaas_2
Path Finder

Thanks for the reply.  I got the splunk_stream_app_location correct (just to be clear for others, the 8000 is the default port used by Splunk web.  If one changes the web port, the app location should match -- port 8443 for me).

My concern with opening up port 8443 in the DMZ, is well, it's the DMZ and not fully trusted.  Do you have any references for the manual option.  Thought I'd just give that a try even if I miss the monitoring or would it show up in my internal Stream app?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...