Hi all,
I am trying to implement Splunk in a particular use case.
Use case I am trying to implement:
HF (configured proxy) > transfer data via internet > indexer
Kind share your knowledge. Further help would be highly appreciated. thanks
Your description is a bit confusing. Please elaborate. What does HF to do with squid? It's a completely separate piece of software.
What do you want to do? Set up your HF to contact your destination indexer via proxy? You want your HF to be hidden behind a reverse-proxy? Something else?
And what's the goal?
So the goal I am trying to achieve is that :
I want to forward data from HF which is behind squid proxy to Indexer which is on AWS EC2.
Drill:
HF (VM) -> (TCP9997, HTTP/HTTPS 443,80) Squid proxy -> (TCP997) Indexer.
Thanks
OK. So your HF's only way to internet is via a proxy server, right?
Unfortunately, s2s is not proxyable with http proxy as far as I know. You can only use socks5 proxy.
You could try to use httpout output to send to a hec port (in fact it's a s2s embedded in http, it's not exactly a hec output as such) and inherit the general proxy settings (https://docs.splunk.com/Documentation/Splunk/9.1.0/Admin/Serverconf#Splunkd_http_proxy_configuration ) but I'm not sure if it will work. But it's your only chance. If it doesn't work - you need to either open your firewall for this particular traffic directly or use socks proxy.
Anyway, if the idea behind allowing only proxied traffic is that "we will do content inspection, hurr, durr", it won't work.