Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to pull data from DMZ Heavy Forwarder?

randqm
Loves-to-Learn Everything
‎02-09-2023 06:11 AM

I want to install HF or UF on our DMZ environment.

The Indexer is on the LAN.

I is not allow to communicate from the DMZ to the LAN .

I need that the logs from the DMZ will be pulled to the Indexer in the LAN (using HF or any other solution).

Please share your insight on how to setup this from your experience .

Thanks in advance.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎02-09-2023 07:02 AM

That's a typical problem because Splunk works mostly on "push" principle - forwarders get their data from various inputs but it's them who connect to the indexers (or intermediate forwarders), not the other way around. Splunk doesn't have a built-in "pull" mode.

So you can either set up a designated intermediate forwarder(s) which will be the only ones allowed to connect to LAN (but I understand that it can be not that easy with some strict traffic policies) or use some external solution to - for example - write events to a file on some host in DMZ. You'd then connect connect from your LAN to this host and read events from those files.

But I don't think there's a ready solution for this.

0 Karma
Reply

randqm
Loves-to-Learn Everything
‎02-09-2023 06:53 AM

But my issue is that any communication from the DMZ to LAN is not allow. ☹️
In the opposite direction it is allowed.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-09-2023 07:02 AM

Hi @randqm,

if no commuminations are alloweb from DMZ to LAN, you haven't ways to send data!

You can secure the connections between machines using SSL and certificates, and define very hard rules for the firewalls, but if DMZ cannot send data to LAN, there isn't any solution!

Ciao.

Giuseppe

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-09-2023 06:33 AM

Hi @randqm,

you have to put one (or better two) UFs or HFs to concentrate all the logs from DMZ or outside (e.g. Cloud Services).

So you have to open only the routes between these HFs or UFs and Indexers.

Ciao.

Giuseppe

0 Karma
Reply

randqm
Loves-to-Learn Everything
‎02-09-2023 06:45 AM

Hi 

Thanks for your response.

Any tips on what configuration and port need to open between the UFs/HFs ?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-09-2023 06:49 AM

Hi @randqm,

the usual ports you're using in your Splunk infrastructure:

  • usually 9997 is used to send data to indexers (monodirectional),
  • 8089 (bidirectional) between UFs (or HFs) and Deployment Server for the configurations.

Ciao.

Giuseppe

 

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...