We have purchased Splunk Cloud recently. We couldn’t send any logs to Splunk Cloud as ports are blocked. Could you please answer for below questions:
How to ingest logs from Universal Forwarders (500 Windows and Linux servers)? What ports should be allowed from UF’s to where (individual Indexer IP in Splunk Cloud (are they static))? Can we directly send logs from UF’s or should we use Gateway server (HF or UF)?
We want to build Deployment Master to manage clients? What ports should be allowed from DM to where (only to UF’s or also to CM, HF)?
We want to ingest syslog from devices. We save sylog data in our syslog (unix) server for few weeks. Can we install UF on that server and send directly to Splunk Cloud or should we direct it via HF?
After installing Universal Forwarder and Credentials package, inputs.conf is present in /default folder. Should we copy the complete inputs.conf and place it in local folder? Or we can create a new app with the inputs.conf and deploy to all clients?
Sending data from UF’s to cloud will be encrypted or will go as clear text?
Thanks for the details.
2. Should the source be Deployment Server and destination is UF's and HF's or require two way?
3. Syslog server will be managed by Server Ops, we want to set any filtering on Splunk HF which Splunk team manage. So, I think I can install UF on syslog server and forward it to HF for any filtering (props)?
4. Sounds good.
5. Any official document mentioning about encryption. It will be helpful to send to Security Operations. As we are sending data through internet, should we enable anything for encryption.