Dears,
We have the deployment server in DMZ zone and indexers are in DRN zone. So windows team is pushing the packages using SCCM to our DMZ deployment servers and we can see those clients in our deployment servers but we are not seeing single logs in our splunk that means data is not indexing into our splunk.
Please find the attached architecture screenshot for your reference .
More details :
1. Deployment servers in DMZ zone
2. Indexers are in DRN zone
#################
The below one is for Windows DMZ log sources to windows universal forwarder
[root@********local]# cat outputs.conf
[tcpout]
defaultGroup = xxxx_idx_win_prod
indexAndForward = false
[indexAndForward]
index = false
[tcpout:xxxx_idx_win_prod]
autoLBVolume = 1048576
server = xxxxsplkwinfrwdr001.xxxxx.xx.xxxx:9997, xxxxsplkwinfrwdr002.xxxxx.xx.xxxx:9997
sslPassword = password
clientCert = $SPLUNK_HOME/etc/auth/server.pem
autoLBFrequency = 5
useACK = true
########################################
Deployment server configuration :- This will applicable for PROD DRN indexers - Forwarders to indexers
/opt/splunk/etc/deployment-apps/xx-xxxx_xxxx_idx_prod_outputs/local
cat outputs.conf
[tcpout]
defaultGroup = xxxx_idx_prod
indexAndForward = false
[indexAndForward]
index = false
[tcpout:xxxx_idx_prod]
autoLBVolume = 1048576
server = <all drn indexers ip address mentioned here with 9997 port>
sslPassword = password
clientCert = $SPLUNK_HOME/etc/auth/server.pem
autoLBFrequency = 5
useACK = true
#######################
inputs.conf
cat inputs.conf
[splunktcp-ssl:9997]
disabled=0
[SSL]
sslPassword = password
clientCert = $SPLUNK_HOME/etc/auth/server.pem
Kindly advise us on this.
