Getting Data to Splunk from clients outside our LA...

mmeredith · ‎02-28-2022

I am trying to setup our Splunk architecture to be able to receive events from clients/workstations outside our local network. The simplest solution is just making the main indexer externally accessible, but we don't want to do that. Is there a way to setup a Heavy Forwarder like a proxy to receive events from external clients and then send them to the main indexer? I haven't been able to find anything related to this when I try to research.

Thanks.

richgalloway · ‎02-28-2022

Yes, you could set up a HF and make it accessible to external clients. This is a common way to handle situations like this. The HF is like a DMZ in that outsiders can connect to it, but the network only allows traffic from the HF to reach the indexers.

BTW, there's no such thing as a "main indexer" in Splunk. Indexers are referred to as "search peers" because they're all equal.

---
If this reply helps you, Karma would be appreciated.

Getting Data to Splunk from clients outside our LAN

heavy forwarder

universal forwarder

Windows

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation