Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

HowTo pull logs into trusted network from a forwarder located in DMZ

tjensen
Explorer
‎11-05-2012 02:21 AM

Hello,
I search a way to get realtime logs from DMZ-Zone into a Trusted Network, where the Indexer is located.
A Forwarder located in DMZ collects all logs, but this Forwarder can only send (push) logs to the trusted network. Is there a way to change the direction of the communication to pull these logs from the Forwarder?

I can pull all Logfiles directly from the log-source, but this is not in realtime.

Any suggestions on this ?

Thanks,
Torsten

Tags (4)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bmacias84
Champion
‎11-05-2012 09:44 AM

What you are trying to accomplish does not exist in Splunk nativly, but there is always a method. You could use rsync with following switches --stats -rltgoDzrv --append-verify to copy the data to Trusted Network Forward and setup a Monitor on that directory.



rsync --stats -rltgoDzrv --append-verify -e "ssh -l ssh-user" rsync:://targethost2/module/src/ /tmp/secure_data/

Or Possibly a scripted input using ssh and tail.

View solution in original post

Reply
Solved! Jump to solution
Solution

bmacias84
Champion
‎11-05-2012 09:44 AM

What you are trying to accomplish does not exist in Splunk nativly, but there is always a method. You could use rsync with following switches --stats -rltgoDzrv --append-verify to copy the data to Trusted Network Forward and setup a Monitor on that directory.



rsync --stats -rltgoDzrv --append-verify -e "ssh -l ssh-user" rsync:://targethost2/module/src/ /tmp/secure_data/

Or Possibly a scripted input using ssh and tail.

Reply
Solved! Jump to solution

vial8
Engager
‎11-06-2012 12:08 AM

Definately the best way to go. I use this on our solution where we have logs that is on a vendor system.

0 Karma
Reply
Solved! Jump to solution

tjensen
Explorer
‎11-05-2012 11:44 PM

Thanks for this feedback. We'll try it like this way.

0 Karma
Reply
Solved! Jump to solution

lrhazi
Path Finder
‎11-05-2012 05:39 AM

I dont know if Splunk indexer-forwarder supports the feature you need, but a workaround might be to to use something like stunnel or OpenSSH, to create a tunnel that is "listening" on the forwarder, and "forwarding" to the indexer. Your forwarder would then be configured to forward to localhost:port.

With SSH this would be called reverse tunnel and would be something like:

  • On the indexer: ssh -R 6514:localhost:6514 username@forwarder

Now on the forwarder, if you connect to localhost:6514, you would be connected to the indexer:6514

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)

Greetings, Splunk Cloud Admins and Splunk enthusiasts! The Admin Configuration Service (ACS) team is excited ...

Tech Talk | One Log to Rule Them All

One log to rule them all: how you can centralize your troubleshooting with Splunk logs We know how important ...

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Join Principal Threat Researcher, Michael Haag, as he walks through: An introduction to the Splunk Threat ...