Deployment Architecture
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to get data into Splunk without a universal forwarder

rob_gibson
Path Finder
‎03-26-2024 12:17 PM

I have an on-prem splunk enterprise installation, consisting exclusively of Universal forwarders and a single Indexer.

We now have a cloud-hosted environment, that it restricted, as it is hosted by an external company.  They do not allow us to install any software (but their own) on the servers.

Is there any way to get data into my Indexer, without a forwarder?

Without a forwarder, am I able to apply allow/deny lists to events?

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-26-2024 11:39 PM

Hi @marnall ,

the solution depends on two factors:

1) the type of server:

if it's a Linux Server, you can use a syslog or (as @marnall sais, an HEC.

If Windows is a little more difficoult because you cannot use syslog; you could use WMI, even if I don't like it.

2) the type of logs you have to ingest (operative system, application)?

If application, maybe it has a sislog sending monitoring feature and you can use it.

Ciao.

Giuseppe

0 Karma
Reply

marnall
Motivator
‎03-26-2024 01:52 PM

Does the cloud-hosted environment have any kind of log export functionality? It may be possible to configure it to send logs to the Splunk HTTP Event Collector.

Or, instead of pushing the logs, you can pull the logs using an API if it is offered by your cloud-hosted environment.

0 Karma
Reply

rob_gibson
Path Finder
‎03-27-2024 05:53 AM

Does the HEC support allow/deny for specific event types?  We have a LOT of data that we do not want to capture/forward from the cloud.

0 Karma
Reply

marnall
Motivator
‎03-27-2024 02:25 PM

That isn't specifically a HEC functionality, but Splunk can be configured with props and transforms to discard unwanted data by sending it to the nullQueue before indexing. This will consume network bandwidth from sending the data from the cloud to splunk, but will not count the discarded logs against your Splunk license.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...