Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Collector/Forwarder

fisk12
Path Finder
‎04-25-2011 01:13 PM

Say for example i have a environment that is being split into two different networks (routed through different firewalls) I have my "main" splunk server on one of the network. Is is possible to use one or more splunk instance as "collectors" on the other net and send it to the main splunk server. I rather don't want to set up routing/firewalls opening more then absolutely necessary.

0 Karma
Reply

fisk12
Path Finder
‎04-25-2011 02:57 PM

Cool, so basically i just have to set the servers on Net a to send their stuff to "Box A" and then just set "Box A" as a forwarder and send its stuff to box B?

0 Karma
Reply

David
Splunk Employee
Splunk Employee
‎04-25-2011 01:30 PM

You can absolutely set up a firewall between separate subnets, but as with anything IP based, you're going to need firewall rules to allow it. If you set up a forwarder in subnet A, it's going to forward to whatever port you define in your inputs.conf on the indexer (and outputs.conf on the forwarder). You can set whatever port you want, though, so it will you don't need to allow TCP Any, or port 80/443, or etc. You could, say, use port 12345, which is nice and distinct for firewall admins.

Reply

David
Splunk Employee
Splunk Employee
‎04-25-2011 02:40 PM

Ah ha, gotcha. Unless you're sending obscenely large amounts of data, or have an obscenely underpowered box in Net A, that should work fine. Forwarding is very resource light, so you can have a local forwarder send everything to the main box. Just note that you have to have the box in Net A be a forwarder, rather than an indexer. You can't double-index the data, unless you have the licensing to support it.

0 Karma
Reply

fisk12
Path Finder
‎04-25-2011 01:41 PM

Yeah well im also doing a big part of the firewall stuff myself so i know about that stuff. What i meant was if its working good to have some servers on Net A send their stuff to a smaller splunk server on net A, that server then sends it stuff to the "real" splunk server on net B. With that i only have the static route between the two splunk servers configured, insted of the hole net A- Net B.

0 Karma
Reply
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...