We have the deployment server in DMZ zone and indexers are in DRN zone. So windows team is pushing the packages using SCCM to our DMZ deployment servers and we can see those clients in our deployment servers but we are not seeing single logs in our splunk that means data is not indexing into our splunk.
Please find the attached architecture screenshot for your reference .
More details :
1. Deployment servers in DMZ zone
2. Indexers are in DRN zone
The below one is for Windows DMZ log sources to windows universal forwarder
There are some typical steps you can troubleshoot in such situation:
1) Check what is the final configuration of your forwarders with btool
2) Check whether you do have network connectivity (if you use mutual authentication, which is a good thing, you should do it with a tool that supports TLS auth and check if you can authenticate with your crypto material)
3) Check the logs on both sides for any connection-related errors
4) Dump the network traffic and see how the connection tries go
This on its own should not mean anything serious. Just that some unused connections are getting timed-out. It probably means that there is some misconfiguration on network level because open connections should get properly closed if not used but it's not a big deal.
And deployment server on its own has nothing to do with sending logs from forwarders to indexers.