Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to set a proxy variable for Splunk to get out to the Internet?

sdwilkerson
Contributor
‎05-18-2010 07:30 PM

A site requires proxy-settings to be in place for every browser in order to go to the Internet.

There doesn't appear to be any configuration in Splunk to support http_proxy.

Without this, Splunk can not, for instance, browse to splunkbase (through the manager UI) to install new apps.

The user Splunk runs as can set the following in their environment (e.g. ~/.bashrc):
export http_proxy='http://proxyaddy:port'
export https_proxy='http://proxyaddy:port'

And then when that user restarts Splunk those environment variables are passed to Splunk. This is fine when the user does a restart, but this does not work when the system is rebooted or an init is changed.

Labels (1)
Labels
Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

sdwilkerson
Contributor
‎05-18-2010 07:49 PM

On Linux, here is a work-around (though a Splunk-internal config would be ideal):

Set the http_proxy variables to be exported and picked up by the init script. It is not Linux/RHEL recommended practice to customize start scripts installed via a package manager (e.g. RPM) since they might be replaced with the next upgrade/install.

Therefore the recommended solution is to edit the appropriate file in /etc/sysconfig.

Unfortunately, the RPMs that Splunk distributes as of VERSION=4.1.2 BUILD=79191 does not accomodate the RHEL-recommended usage of the /etc/sysconfig directory for localized settings.

Therefore, to accomodate best-practice for RHEL and add the proxy setting to make it reboot persistent do the following:

  • Edit/create the file /etc/sysconfig/splunk and enter the following lines (edit the proxyaddy and port appropriate to your environment):
    • # Export local proxy settings to allow Splunk to get out
    • export http_proxy='http://proxyaddy:port'
    • export https_proxy='http://proxyaddy:port'

  • Next edit the start script /etc/init.d/splunk to tell it to use the local settings file you just created (hopefully this will be added by Splunk in future versions of their RPMs


    • # Add a standard PROG var then check for the sysconfig script and run if available

    • PROG="splunk"

    • [ -f /etc/sysconfig/$PROG ] && . /etc/sysconfig/$PROG ]

The next time you do a system restart this should work properly. If you wanted to simulate how Splunk would be restarted by the system doing a reboot but without having to reboot you can do the following steps:

  1. Ensure you have configured Splunk to run at reboot with the command: splunk enable boot-start
  2. stop splunk (e.g. $SPLUNK_HOME/bin/splunk stop)
  3. init 1
  4. init 3

View solution in original post

Reply
Solved! Jump to solution

chrisherdt
Engager
‎06-20-2019 02:26 PM

For more recent versions of Splunk (for example, version 7.3 in 2019), you can set proxy values in server.conf:

[proxyConfig]
http_proxy = http://proxy.example.com
https_proxy = https://proxy.example.com

See https://docs.splunk.com/Documentation/Splunk/7.3.0/Admin/ConfigureSplunkforproxy for details.

Reply
Solved! Jump to solution

securitypaul
Explorer
‎08-17-2023 05:32 AM

Thank you for this 🙂

0 Karma
Reply
Solved! Jump to solution

hthiel
Explorer
‎07-06-2020 12:06 AM

@chrisherdt, as you can read in your link, this option is not for Splunk to communicate to the outside, but for Splunk 2 Splunk communication through a proxy. 

"This process configures Splunk to Splunk communication through a Proxy. The settings documented here do not support interactions outside of Splunk, for example:

  • Access to Splunkbase via Splunk Web
  • Splunk external lookups
  • Actions that make a REST API call to an external service outside of a firewall"
0 Karma
Reply
Solved! Jump to solution

seyvet
Explorer
‎01-29-2014 01:12 AM

easy. works fine.

0 Karma
Reply
Solved! Jump to solution

petert2011
Engager
‎06-27-2011 10:35 PM

Watch out for this one, after configuring https_proxy environment variable, the Cisco IPS script to connect to port 443 using SDEE to an IDSM was also using the proxy - and with no access from Proxy to port 443 on the IDSM all I was getting was 504 Gateway Errors in the sdee log file

It would be good if there was a configuration item within the manager to specify a proxy only for splunk's access to Splunk resources on the internet.

Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎05-22-2010 07:47 AM

I suspect you could add this to splunk-launch.conf:

http_proxy=http://proxy:port
https_proxy=http://proxy:port

You can set other environment variables this way.

0 Karma
Reply
Solved! Jump to solution

pinoyoz
New Member
‎09-18-2013 12:42 AM

Hi Gerald,

I tried to use this config on my Windows machine but splunkd is not communicating with the proxy. I can access the proxy using a normal browser but not through the app.

Did anyone managed to get this working?

Thanks.

0 Karma
Reply
Solved! Jump to solution

sdwilkerson
Contributor
‎05-26-2010 09:09 PM

Gerald,
I had tried this before with no joy. After seeing your comment, I just tried it again and still without the desired/expected result.
I believe the difference is that the VAR is not necessarily something Splunk needs but something that is passed to python which then uses it during external http calls.
Let me know your thoughts. I am here onsite until Friday so can test other ideas.

0 Karma
Reply
Solved! Jump to solution
Solution

sdwilkerson
Contributor
‎05-18-2010 07:49 PM

On Linux, here is a work-around (though a Splunk-internal config would be ideal):

Set the http_proxy variables to be exported and picked up by the init script. It is not Linux/RHEL recommended practice to customize start scripts installed via a package manager (e.g. RPM) since they might be replaced with the next upgrade/install.

Therefore the recommended solution is to edit the appropriate file in /etc/sysconfig.

Unfortunately, the RPMs that Splunk distributes as of VERSION=4.1.2 BUILD=79191 does not accomodate the RHEL-recommended usage of the /etc/sysconfig directory for localized settings.

Therefore, to accomodate best-practice for RHEL and add the proxy setting to make it reboot persistent do the following:

  • Edit/create the file /etc/sysconfig/splunk and enter the following lines (edit the proxyaddy and port appropriate to your environment):
    • # Export local proxy settings to allow Splunk to get out
    • export http_proxy='http://proxyaddy:port'
    • export https_proxy='http://proxyaddy:port'

  • Next edit the start script /etc/init.d/splunk to tell it to use the local settings file you just created (hopefully this will be added by Splunk in future versions of their RPMs


    • # Add a standard PROG var then check for the sysconfig script and run if available

    • PROG="splunk"

    • [ -f /etc/sysconfig/$PROG ] && . /etc/sysconfig/$PROG ]

The next time you do a system restart this should work properly. If you wanted to simulate how Splunk would be restarted by the system doing a reboot but without having to reboot you can do the following steps:

  1. Ensure you have configured Splunk to run at reboot with the command: splunk enable boot-start
  2. stop splunk (e.g. $SPLUNK_HOME/bin/splunk stop)
  3. init 1
  4. init 3
Reply
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...