Archive
Highlighted

What is the best method for Indexer not to accept traffics from unknown forwarder?

Engager

Hello All,

Other than using Authentication between forwarders and Indexer,
I am just wondering if there is a simple way to indicate to an
Indexer to ONLY accept connection (forwarding traffics) from
a set of known forwarders. Thanks.

Regards
DL

Tags (1)
Highlighted

Re: What is the best method for Indexer not to accept traffics from unknown forwarder?

Legend

Using SSL authentication where the forwarder must present a certficate signed by the appropriate CA is probably the most secure way. You could also configure a firewall or iptables on the Splunk indexer to allow only traffic to the indexer inbound ports from the IP addresses of the known forwarders. That's perhaps a little less overhead to set up.