We have a relatively closed network in which we plan to collect logs from. This network resides on a larger "open" network that we don't want to have directly communicating to our internal network.
Is it possible to send logs to a Heavy Forwarder on this "open" network, to another Heavy Forwarder in our DMZ, to our indexer? I know this seems really odd (and it probably is), but I wanted to know if this is technically possible. We are trying to work around policies in our network.
Thanks!
Yes it is possible! This guidance is tucked away at the bottom of this page: http://docs.splunk.com/Documentation/Splunk/6.2.5/Forwarding/Forwarderdeploymenttopologies
Intermediate forwarding
To handle some advanced use cases, you might want to insert an intermediate forwarder between a group of forwarders and the indexer. In this type of scenario, the originating forwarders send data to a consolidating forwarder, which then forwards the data on to an indexer, usually after indexing it locally.
Typical use cases are situations where you need an intermediate index, either for "store-and-forward" requirements or to enable localized searching. (In this case, you would need to use a heavy forwarder.) You can also use an intermediate forwarder if you have some need to limit access to the indexer machine; for instance, for security reasons.
To enable intermediate forwarding, you need to configure the forwarder as a both a forwarder and a receiver. For information on how to configure a receiver, read "Enable a receiver".
Yes it is possible! This guidance is tucked away at the bottom of this page: http://docs.splunk.com/Documentation/Splunk/6.2.5/Forwarding/Forwarderdeploymenttopologies
Intermediate forwarding
To handle some advanced use cases, you might want to insert an intermediate forwarder between a group of forwarders and the indexer. In this type of scenario, the originating forwarders send data to a consolidating forwarder, which then forwards the data on to an indexer, usually after indexing it locally.
Typical use cases are situations where you need an intermediate index, either for "store-and-forward" requirements or to enable localized searching. (In this case, you would need to use a heavy forwarder.) You can also use an intermediate forwarder if you have some need to limit access to the indexer machine; for instance, for security reasons.
To enable intermediate forwarding, you need to configure the forwarder as a both a forwarder and a receiver. For information on how to configure a receiver, read "Enable a receiver".
Thank you! I actually did read that documentation, but it wasn't clear to me if it was referring to heavy forwarders. Thank you!