Getting Data to Splunk from clients outside our LA...

mmeredith · ‎02-28-2022

I am trying to setup our Splunk architecture to be able to receive events from clients/workstations outside our local network. The simplest solution is just making the main indexer externally accessible, but we don't want to do that. Is there a way to setup a Heavy Forwarder like a proxy to receive events from external clients and then send them to the main indexer? I haven't been able to find anything related to this when I try to research.

Thanks.

richgalloway · ‎02-28-2022

Yes, you could set up a HF and make it accessible to external clients. This is a common way to handle situations like this. The HF is like a DMZ in that outsiders can connect to it, but the network only allows traffic from the HF to reach the indexers.

BTW, there's no such thing as a "main indexer" in Splunk. Indexers are referred to as "search peers" because they're all equal.

---
If this reply helps you, Karma would be appreciated.

Getting Data to Splunk from clients outside our LAN

heavy forwarder

universal forwarder

Windows

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Event Series: Telemetry Pipeline Management

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

Join the Conversation