I want to install HF or UF on our DMZ environment.
The Indexer is on the LAN.
I is not allow to communicate from the DMZ to the LAN .
I need that the logs from the DMZ will be pulled to the Indexer in the LAN (using HF or any other solution).
Please share your insight on how to setup this from your experience .
Thanks in advance.
That's a typical problem because Splunk works mostly on "push" principle - forwarders get their data from various inputs but it's them who connect to the indexers (or intermediate forwarders), not the other way around. Splunk doesn't have a built-in "pull" mode.
So you can either set up a designated intermediate forwarder(s) which will be the only ones allowed to connect to LAN (but I understand that it can be not that easy with some strict traffic policies) or use some external solution to - for example - write events to a file on some host in DMZ. You'd then connect connect from your LAN to this host and read events from those files.
But I don't think there's a ready solution for this.
if no commuminations are alloweb from DMZ to LAN, you haven't ways to send data!
You can secure the connections between machines using SSL and certificates, and define very hard rules for the firewalls, but if DMZ cannot send data to LAN, there isn't any solution!
you have to put one (or better two) UFs or HFs to concentrate all the logs from DMZ or outside (e.g. Cloud Services).
So you have to open only the routes between these HFs or UFs and Indexers.
the usual ports you're using in your Splunk infrastructure: