Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Collecting logs from the fortified network over the firewall with the forwarders

chronic_splunke
Engager
‎04-06-2017 04:52 AM

Greetings, a beginner Splunk administrator here.

So I have the case where within my network there are two isolated network zones. One such that could be classified as intranet-oriented or less fortified one, and the other highly fortified with servers holding records needed for eventual collection.

Communication between them occurs through the firewall. Intranet zone holds the crucial indexer.

How could I collect logs from the fortified zone over the firewall between these zones with Splunk forwarder while not opening too many network ports or compromising the network in any way.

From your experience, I'd like to hear several ways in approaching this.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎04-06-2017 05:15 AM

Hi chronic_splunker,
if you want to reduce the opening ports, you could put two Heavy Forwarders in each network that concentrate logs from all universal forwarders of own network and then forward them to indexers.
In this way you have to open only 9997 port from these four HF to Indexers.
To manage UFs you can insert a Deployment Server in each network to deploy configurations to all own UFs.
If you have less than 50 UF you can use one of the HF od each network as Deployment Server.

Bye.
Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎04-06-2017 05:15 AM

Hi chronic_splunker,
if you want to reduce the opening ports, you could put two Heavy Forwarders in each network that concentrate logs from all universal forwarders of own network and then forward them to indexers.
In this way you have to open only 9997 port from these four HF to Indexers.
To manage UFs you can insert a Deployment Server in each network to deploy configurations to all own UFs.
If you have less than 50 UF you can use one of the HF od each network as Deployment Server.

Bye.
Giuseppe

Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...