Getting Data In
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Forwarder behind a proxy

Matthias_BY
Communicator
‎08-16-2013 05:35 AM

Hi,

i want to send out data with an forwarder to a splunk indexer hosted in the web like splunk storm.

Is it possible to route the traffic of a forwarder over a proxy server?

br
matthias

Tags (3)
Reply

mnatkin_splunk
Splunk Employee
Splunk Employee
‎09-05-2017 06:58 AM

While forwarder-to-indexer traffic can be wrapped in SSL, it's not technically an HTTP connection, and therefore won't properly traverse a web proxy.

The 2 ways I know how to accomplish this are as follows:

  1. Use an intermediate forwarder (generally within a DMZ). Internal hosts have access to this host, and send their logs to the IMF. That host has outbound access to the indexer layer.
  2. Use a SOCKS v5 Proxy

If you wish to secure your forwarder-to-indexer traffic behind a proxy, note that as of 6.3, Splunk supports the use of SOCKS v5 proxies for forwarder-to-indexer traffic. Details are available on-line at:

http://docs.splunk.com/Documentation/Splunk/6.6.3/Forwarding/ConfigureaforwardertouseaSOCKSproxy

Reply

chauhananand
Engager
‎09-29-2023 06:07 AM

New link to doc:
https://docs.splunk.com/Documentation/Splunk/9.1.1/Forwarding/ConfigureaforwardertouseaSOCKSproxy

0 Karma
Reply

eddiewebb
Engager
‎11-22-2013 02:07 PM

Found another user with this problem, answers.splunk.com/answers/85935/forward-to-splunk-storm-using-universal-forwarder-through-proxy

They quote a insufficient response from splunk

If the problem is directly linked to
your company proxy (or firewall),
there is nothing that we can do.
Splunk protocol requires a connection
on the port 9997, with acknowledgement
back. Please contact your entreprise
network team to see if they can open
the port and route the data to it.

Also found this article - docs.splunk.com/Documentation/Splunk/6.0/Forwarding/Setupforwardingandreceiving

Note: You cannot forward data across a proxy, because the communication between forwarder and receiver does not use the HTTP protocol.

Reply

msn2507
Path Finder
‎09-17-2013 06:29 PM

Yes, the documentation is here

http://docs.splunk.com/Documentation/Splunk/5.0.4/admin/Specifyaproxyserver

Reply

eddiewebb
Engager
‎11-22-2013 02:04 PM

Confirmed that setting PROXY, HTTP_PROXY, and HTTPS_PROXY in the universal forwarder's splunk-launch.conf has no effect on this issue.

0 Karma
Reply

Matthias_BY
Communicator
‎09-18-2013 09:20 AM

Hi,

sorry that is not the answer. You're referring to splunk web. i'm asking for forwarder traffic.

br

0 Karma
Reply
Get Updates on the Splunk Community!

Bridging the Gap: Splunk Helps Students Move from Classroom to Career

The Splunk Community is a powerful network of users, educators, and organizations working together to tackle ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureThursday, March 27, 2025  |  11AM PST / 2PM EST | Register NowStep boldly ...
Top