Deployment Architecture

How to pull data from DMZ Heavy Forwarder?

randqm
Loves-to-Learn Everything

I want to install HF or UF on our DMZ environment.

The Indexer is on the LAN.

I is not allow to communicate from the DMZ to the LAN .

I need that the logs from the DMZ will be pulled to the Indexer in the LAN (using HF or any other solution).

Please share your insight on how to setup this from your experience .

Thanks in advance.

0 Karma

PickleRick
SplunkTrust
SplunkTrust

That's a typical problem because Splunk works mostly on "push" principle - forwarders get their data from various inputs but it's them who connect to the indexers (or intermediate forwarders), not the other way around. Splunk doesn't have a built-in "pull" mode.

So you can either set up a designated intermediate forwarder(s) which will be the only ones allowed to connect to LAN (but I understand that it can be not that easy with some strict traffic policies) or use some external solution to - for example - write events to a file on some host in DMZ. You'd then connect connect from your LAN to this host and read events from those files.

But I don't think there's a ready solution for this.

0 Karma

randqm
Loves-to-Learn Everything

But my issue is that any communication from the DMZ to LAN is not allow. ☹️
In the opposite direction it is allowed.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @randqm,

if no commuminations are alloweb from DMZ to LAN, you haven't ways to send data!

You can secure the connections between machines using SSL and certificates, and define very hard rules for the firewalls, but if DMZ cannot send data to LAN, there isn't any solution!

Ciao.

Giuseppe

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @randqm,

you have to put one (or better two) UFs or HFs to concentrate all the logs from DMZ or outside (e.g. Cloud Services).

So you have to open only the routes between these HFs or UFs and Indexers.

Ciao.

Giuseppe

0 Karma

randqm
Loves-to-Learn Everything

Hi 

Thanks for your response.

Any tips on what configuration and port need to open between the UFs/HFs ?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @randqm,

the usual ports you're using in your Splunk infrastructure:

  • usually 9997 is used to send data to indexers (monodirectional),
  • 8089 (bidirectional) between UFs (or HFs) and Deployment Server for the configurations.

Ciao.

Giuseppe

 

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...