Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Collecting logs from the fortified network over the firewall with the forwarders

chronic_splunke
Engager
‎04-06-2017 04:52 AM

Greetings, a beginner Splunk administrator here.

So I have the case where within my network there are two isolated network zones. One such that could be classified as intranet-oriented or less fortified one, and the other highly fortified with servers holding records needed for eventual collection.

Communication between them occurs through the firewall. Intranet zone holds the crucial indexer.

How could I collect logs from the fortified zone over the firewall between these zones with Splunk forwarder while not opening too many network ports or compromising the network in any way.

From your experience, I'd like to hear several ways in approaching this.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
Esteemed Legend
‎04-06-2017 05:15 AM

Hi chronic_splunker,
if you want to reduce the opening ports, you could put two Heavy Forwarders in each network that concentrate logs from all universal forwarders of own network and then forward them to indexers.
In this way you have to open only 9997 port from these four HF to Indexers.
To manage UFs you can insert a Deployment Server in each network to deploy configurations to all own UFs.
If you have less than 50 UF you can use one of the HF od each network as Deployment Server.

Bye.
Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
Esteemed Legend
‎04-06-2017 05:15 AM

Hi chronic_splunker,
if you want to reduce the opening ports, you could put two Heavy Forwarders in each network that concentrate logs from all universal forwarders of own network and then forward them to indexers.
In this way you have to open only 9997 port from these four HF to Indexers.
To manage UFs you can insert a Deployment Server in each network to deploy configurations to all own UFs.
If you have less than 50 UF you can use one of the HF od each network as Deployment Server.

Bye.
Giuseppe

Reply
Get Updates on the Splunk Community!

Splunk Lantern | Spotlight on Security: Adoption Motions, War Stories, and More

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)

Greetings, Splunk Cloud Admins and Splunk enthusiasts! The Admin Configuration Service (ACS) team is excited ...

Tech Talk | One Log to Rule Them All

One log to rule them all: how you can centralize your troubleshooting with Splunk logs We know how important ...