Deployment Architecture

HF to LM... is it one way or two way communication

inventsekar
SplunkTrust
SplunkTrust

Hi Splunkers... 

Assumptions... The HF we want to deploy.. it should be inside a DMZ network, the license master is outside the DMZ and all necessary ports will be opened as required

now the question is..

Can License Master to HF have only one way direction communication(info flow is only from LM to HF... not two way, in the sense... there will be no HF to LM info flow)

OR

the LM to HF requires two way communication by default. 

 

please suggest, thanks. 

 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
Labels (1)
0 Karma

inventsekar
SplunkTrust
SplunkTrust

@gcusello may i know your advice please

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @inventsekar ,

as @isoutamo said, if you don't need a local indexing, you can use the Forwarder License (it was created just for this purpose!).

Using this license, you have all the features of a Splunk instance except indexing.

In other words, you can preprocess (mainly parse) your data.

In this way you can locate this job on HFs instead IDXs.

Using the Forwarder License, you don't need to communicate with the LM, unless you want a local copy of your logs: in this case you need an unidirectional connection with the LM on 8089 port.

Ports between HF and LM aren't relevant.

On HF you need only: 9997 to send data to IDXs and 8089 to manage HF with your DS.

Ciao.

Giuseppe

isoutamo
SplunkTrust
SplunkTrust

Hi

the HF - LM communication is always one way, from HF to LM never other way. 
Actually you don’t need that communication at all, you could change HF license mode to use forwrder licence when it can use all HF features to forward events to the next full splunk instances (hf, uf or indexer). It can just forward but not index anything.

r. Ismo

inventsekar
SplunkTrust
SplunkTrust

>>> Actually you don’t need that communication at all, you could change HF license mode to use forwrder licence when it can use all HF features to forward events to the next full splunk instances (hf, uf or indexer). It can just forward but not index anything.

 

yes @isoutamo .. we thought that idea. but, as HF does some "preprocessing" (field extractions, etc) of logs, right.. so, if we use HF just like a UF(only for forwarding the logs), then indexer's job is same like as if we dont have the HF at all, right (i mean, the indexer needs to do full job of all processing of logs)

 

EDIT
>>> the HF - LM communication is always one way, from HF to LM never other way. 
you mean, HF will send request to LM asking the license info then it takes care of its job. there is no need of LM requesting/sending/asking info from/to the HF?

ok, simple question... between HF and LM... please update us the ports configuration. thanks @isoutamo , karma points given appreciating your response. thanks again. 

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma

isoutamo
SplunkTrust
SplunkTrust

You can do those “indexer stuff” with that forwarder licence. Only thing what is missing is indexing.

You need to open only management access. Normally this is port 8089/tcp. Then if/when you want to monitor those with MC you need to access also MC -> LC that same port and those as indexer and create some own groups for those etc.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...