What are other options to allow our search head an...

acidkewpie · ‎01-20-2015

Hi,

We have a Search head on the other side of a WAN which needs to search against an Index cluster in a sensitive network segment. A security requirement is that we must use an intermediate device as a broker of some form between these network areas.

The protocol is apparently not HTTP, so an HTTP proxy is no use, what else might be available to allow these systems to connect in line with our security policy?

aakwah · ‎01-27-2015

Bluecoat proxysg can create tcp tunnel (it will not go above layer 4) between the 2 networks

thomrs · ‎01-20-2015

Use the SDK to access Splunk. I use the python SDK to feed our corp portal and have similar security restraints. Once I started using the SDK all kind of new uses opened up.

The JS SDK has some great examples, a mini search page is one you may find useful.

http://dev.splunk.com/view/splunk-sdk/SP-CAAADP7

acidkewpie · ‎01-21-2015

Well I need something we could call a proxy. Could I use this to write a proxy somehow, instead of a client? We definitely need to use a search head to query an index.

thomrs · ‎01-21-2015

If you run this on ngingx for example you could have the Splunk end point be local host and use proxy pass to access Splunk. Have not done this myself.

http://nginx.org/en/docs/http/ngx_http_proxy_module.html

I you need a full SH you may be able to use squid in a distrubitred search config.

http://docs.splunk.com/Documentation/Splunk/6.2.1/DistSearch/Whatisdistributedsearch

I use autossh to set up a socks proxy via a bastion host, this allows me to access my Splunk instance anywhere.

Hope this helps.

What are other options to allow our search head and index cluster to connect without an HTTP proxy?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life