We're looking at using the Kinesis Firehose integration to get our VPC flow logs into Splunk in an environment with Heavy Forwarders.
I don't see this in the documentation, but I was wondering if we could generate the CA signed cert and terminate it on an F5 rather than each heavy forwarder?
The CA has to be recognized by Amazon and the VIP for the F5 should be public facing in order for it to work with Kinesis Firehose. Additionally, the Splunk version should be 6.6+ and the loadbalancer should support sticky sessions. The HEC on the indexers should have indexer acknowledgement enabled and the set the global setting "ackIdleCleanup = true" .
Docs for inputs.conf
The CA has to be recognized by Amazon and the VIP for the F5 should be public facing in order for it to work with Kinesis Firehose. Additionally, the Splunk version should be 6.6+ and the loadbalancer should support sticky sessions. The HEC on the indexers should have indexer acknowledgement enabled and the set the global setting "ackIdleCleanup = true" .
Docs for inputs.conf
Devil's Advocate: does using the Deployment Server to push the cert help at all here? Alternatively, does the use of the F5 introduce a single point of failure/architectural fragility?
Going to add some wrap up notes here. One surprise is that we couldn't use the Kinesis Firehose over our Direct Connect. So, as the documentation states, it must be publicly accessible. We were able to terminate the cert on the F5 and then forward to Splunk, just had to add useACK=true and ackIdleCleanup=true.
The deployment server does not fix the cert issue on the F5. One of the features of the Firehose mechanism is that it will failover the events to an S3 bucket to ensure the events will eventually make it into Splunk.