Deployment Architecture

What are other options to allow our search head and index cluster to connect without an HTTP proxy?

Path Finder

Hi,

We have a Search head on the other side of a WAN which needs to search against an Index cluster in a sensitive network segment. A security requirement is that we must use an intermediate device as a broker of some form between these network areas.

The protocol is apparently not HTTP, so an HTTP proxy is no use, what else might be available to allow these systems to connect in line with our security policy?

0 Karma

Builder

Bluecoat proxysg can create tcp tunnel (it will not go above layer 4) between the 2 networks

0 Karma

Communicator

Use the SDK to access Splunk. I use the python SDK to feed our corp portal and have similar security restraints. Once I started using the SDK all kind of new uses opened up.

The JS SDK has some great examples, a mini search page is one you may find useful.

http://dev.splunk.com/view/splunk-sdk/SP-CAAADP7

Path Finder

Well I need something we could call a proxy. Could I use this to write a proxy somehow, instead of a client? We definitely need to use a search head to query an index.

0 Karma

Communicator

If you run this on ngingx for example you could have the Splunk end point be local host and use proxy pass to access Splunk. Have not done this myself.

http://nginx.org/en/docs/http/ngx_http_proxy_module.html

I you need a full SH you may be able to use squid in a distrubitred search config.

http://docs.splunk.com/Documentation/Splunk/6.2.1/DistSearch/Whatisdistributedsearch

I use autossh to set up a socks proxy via a bastion host, this allows me to access my Splunk instance anywhere.

Hope this helps.

0 Karma