Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Universal forwarder on intranet environment

shriramwasule
New Member
‎10-30-2023 08:48 PM

Hi All,

Our scenario is like, in our AWS environment ,we want to collect our logs by using universal forwarder from our Linux, eks and windows server.

But the thing here is we don't have internet in our environment, can anyone please suggest a solution on how we can install this forwarder and use to forward our logs to centralize server for monitoring?

Basically it's non routable environment

And there are 3 resources from where we want to collect logs,

Linux server

Windows server

Eks cluster 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎10-31-2023 03:08 AM

1. Ther is no such thing as "non-routable" addresses or environment. Every packet can be routed. It can just be your policy that you don't route specific traffic.

2. You must have some form of connectivity between the sources and the destination Splunk installation. Depending on the details of the installation it can be a straight over-the-internet connection, it can be a local connection, it can be a VPN tunnel. But you must have some connectivity. Otherwise how do you want to provide Splunk with the data to index? Send on floppy disks?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-31-2023 12:40 AM

Hi @shriramwasule,

if you cannot open a connection with Internet for any system, the only solution is to have a Splunk infrastructure on premise in your segregated network.

If instead you can open the Internet connection only for one system, you could use one Heavy Forwarder (a full Splunk instance that doesn't index data but forward all data to your Private Cloud Splunk Infrastructure) as a concentrator; in this way you can send data to Splunk limiting the Internet connections.

It should be better to use two Heavy Forwarders to balance the load and avoid a Single Point of Failure.

Ciao.

Giuseppe

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...