Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Can multiple Splunk Universal Forwarders use same NAT IP for sending data to Heavy Forwarder ?

ekcsoc
Path Finder
‎09-08-2019 04:33 AM

We have around 100 Universal Forwarders in a specific Office location A and another 50 Universal Forwarders in Office location B. We are trying to use a single NAT IP (192.168.10.20) for Office location A and a single NAT IP (192.168.10.30) for Office Location B for sending data from these Universal forwarders to a Heavy Forwarder placed in a different Office location C.

Can Splunk distinguish each Universal Forwarder with its own host IP even though its communicating and sending data to HF with a single NAT IP ?

Is this TCP Connection stream handling between the Splunk UF and Splunk HF is capable of managing the multiple TCP client connections on the same NAT IP ?

0 Karma
Reply

maraman_splunk
Splunk Employee
Splunk Employee
‎09-08-2019 01:51 PM

Hi

yes, this will work.to the limit of your nat device (probably number of different source port but that is a tcp/ip limit, not a Splunk one)
The challenge would be for communicating to Deployment Server but the Universal Forwarder use a clientname that will be different
see link text
For sending data, either to indexers or via a intermediate forwarder layer, it also doesn't matter as the data itself depend on your input configuration and will just processed independently of your nat ip.

0 Karma
Reply

ekcsoc
Path Finder
‎09-08-2019 10:00 PM

What do you mean by limit of your nat device ? Is that the number of connections that can be generated from NAT device ?
And one thing, we are not using deployment server in this model. Universal forwarders will be managed by the IT team with there own tools like SCCM/other tool.

Also we wanted to know the data within the logs is still matched back to the originating log source IP of the server with the Splunk UF/ or the host IP will written as NAT IP ?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-08-2019 05:31 AM

While I believe it will work, I have to ask: Why are you doing this? Intermediate forwarders are discouraged because they can impede performance and are a single point of failure. Why use a single NAT IP for each location? What problem are you trying to solve?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

ekcsoc
Path Finder
‎09-08-2019 09:55 PM

We are trying to achieve a multi-tenant architecture by deploying specific HF's to each office location(or each company). And regarding why a single NAT IP for each location, that is how there network architecture is build of and working

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...