Getting Data In

Checking machines' status from outside a firewall

New Member

I have a Win7 PC on which I would like to run splunk, but the majority of machines (mostly UNIX) I would like to monitor are behind a firewall. Is there a way for me to configure splunk to be able to monitor those machines from outside their firewall? Thanks!

Tags (2)
0 Karma

SplunkTrust
SplunkTrust

There should be some distinction between what Splunk does versus your typical network/system/server "monitoring" software. Splunk is not exactly like Nagios, nor is it ZenOSS, or Openview, or any of these things. There is some overlap between Splunk and these other tools, but also a lot of differences.

At its core, Splunk's main job is data collection, indexing, and search. As long as that data is (or can be trivially converted to) plain text, Splunk doesn't particularly care what is in it.

Splunk's "monitoring" capabilities are an extension of its data collection/indexing functionality. Similarly, "alerting" is built upon search. Splunk has the ability to run operating system commands on a schedule and index their output. What these commands actually do is practically irrelevant to Splunk. (For example, it would not be terribly difficult to build a stock price app in Splunk) Most of the "monitoring" in a traditional sense in Splunk is built in this way. The "Splunk for *nix" and "Splunk for Windows" apps run various commands on the machine every few minutes in order to catch the output of basic operating system commands like "df", "ps", and "netstat".

But there is nothing built into Splunk to, for example, ping a machine and make sure it is responding or confirm that a DNS server is online. Nor is there a built-in capability to poll devices for SNMP data.

As far as the "firewall" aspect of your question, there is a lot of "it depends". Assuming you want to install Splunk forwarders on these machines (as Genti was discussing) you would need to open some pinholes in your firewall to enable these servers to talk to your Splunk indexer. Exactly what those pinholes are depends on how you design your deployment. We have several machines where there is a firewall between them and the Splunk indexer, and everything works fine.

The concept of "monitoring" machines means a lot of different things to different people. You might want to elaborate on what your data sources are on these machines, how you would like to collect said data, and what you would want to do with it. You can always edit your original question to include these additional details.

Basically, what problem are you trying to solve exactly?

Splunk Employee
Splunk Employee

I'm a bit unclear as to what "Checking machines' status" refer to, given the description of your question, however i am assuming that you wish to monitor data from these unix machines and send it to a centralized indexer.

Assuming my assumption is correct, then you would need to install splunk forwarders on all your unix boxes, and configure them to send the data to the Indexer. To do this, you might want to allow these forwarders to send data to the indexer (by default port 9997) through your firewall. i.e open port 9997 for outgoing tcp data to the indexer.

If you hit difficulties during this, make sure that connection between forwarder and indexer can be established, ie. try telneting on port 9997 between the two boxes.

0 Karma

Splunk Employee
Splunk Employee

check this link for more info regarding forwarding: http://www.splunk.com/base/Documentation/4.1.5/admin/AboutForwardingAndReceiving

0 Karma