Getting Data In

Forwarder behind a proxy

Matthias_BY
Communicator

Hi,

i want to send out data with an forwarder to a splunk indexer hosted in the web like splunk storm.

Is it possible to route the traffic of a forwarder over a proxy server?

br
matthias

Tags (3)

mnatkin_splunk
Splunk Employee
Splunk Employee

While forwarder-to-indexer traffic can be wrapped in SSL, it's not technically an HTTP connection, and therefore won't properly traverse a web proxy.

The 2 ways I know how to accomplish this are as follows:

  1. Use an intermediate forwarder (generally within a DMZ). Internal hosts have access to this host, and send their logs to the IMF. That host has outbound access to the indexer layer.
  2. Use a SOCKS v5 Proxy

If you wish to secure your forwarder-to-indexer traffic behind a proxy, note that as of 6.3, Splunk supports the use of SOCKS v5 proxies for forwarder-to-indexer traffic. Details are available on-line at:

http://docs.splunk.com/Documentation/Splunk/6.6.3/Forwarding/ConfigureaforwardertouseaSOCKSproxy

chauhananand
Engager
0 Karma

eddiewebb
Engager

Found another user with this problem, answers.splunk.com/answers/85935/forward-to-splunk-storm-using-universal-forwarder-through-proxy

They quote a insufficient response from splunk

If the problem is directly linked to
your company proxy (or firewall),
there is nothing that we can do.
Splunk protocol requires a connection
on the port 9997, with acknowledgement
back. Please contact your entreprise
network team to see if they can open
the port and route the data to it.

Also found this article - docs.splunk.com/Documentation/Splunk/6.0/Forwarding/Setupforwardingandreceiving

Note: You cannot forward data across a proxy, because the communication between forwarder and receiver does not use the HTTP protocol.

msn2507
Path Finder

eddiewebb
Engager

Confirmed that setting PROXY, HTTP_PROXY, and HTTPS_PROXY in the universal forwarder's splunk-launch.conf has no effect on this issue.

0 Karma

Matthias_BY
Communicator

Hi,

sorry that is not the answer. You're referring to splunk web. i'm asking for forwarder traffic.

br

0 Karma
Get Updates on the Splunk Community!

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

We love our Splunk Community and want you to feel inspired by all your hard work! Eric Fusilero, our VP of ...

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...