Splunk Enterprise Security

Can a Splunk Heavy Forwarder send data via UDP or does it have to be TCP?


Can a Splunk Heavy Forwarder send data via UDP or does it have to be TCP?

We need to implement a one-way transfer between a heavy forwarder on one side to a receiver on the other side. If heavy forwarders can send UDP, is there a capability to resend indexed data on that forwarder if there is ever a need to replay it due to the one-way transfer going down?

Thanks in Advance.

New Member

I realize this is an old thread, but thought I'd chime in just in case the situation is still pending.

You could do that, but you would need to write the incoming (to the HF) data to disk so that you could go back to it later if you needed to resend it. Otherwise, the HF will just hold the data it is forwarding in memory and dump it once it has been successfully sent.

You would almost need to index and forward on the HF so that you can compare data on both sides of whatever network you are traversing here.

Bottom line is, this can be done, it might just take some creative solutions to accomplish it.

0 Karma


I appreciate the answer provided by ddrillic, but this question addresses a specific security implementation we may be forced to live with, whereby no outbound traffic, not even TCP acknowledgments, would be permitted. I don't know if anyone out there has been faced with this constraint. I know Splunk can listen UDP/TCP, but I want it to send UDP through the one-way. Yes, if we detect a gap in events due to the one-way going down, my thought was to have the sending heavy forwarder resend events from the index. The idea is that we would treat the index as a buffer.

0 Karma

Ultra Champion

The documentation speaks to that at Get data from TCP and UDP ports

It says -

-- You can configure Splunk Enterprise to accept an input on any TCP or UDP port. Splunk Enterprise consumes any data that arrives on these ports. Use this method to capture data from network services such as syslog (default port is UDP 514). You can also set up the netcat service and bind it to a port.

For security, Splunk Cloud accepts connections only from forwarders with the correct Secure Sockets Layer (SSL) certificates. If you want to send data from a TCP or UDP source such as syslog, use the Splunk Universal Forwarder to listen to the source and forward the data to your Splunk Cloud deployment.

TCP is the network protocol that underlies the Splunk Enterprise data distribution scheme. It is the recommended protocol for sending data from any remote host to your Splunk Enterprise server. Splunk Enterprise can index remote data from syslog-ng or any other application that transmits via TCP.

Splunk Enterprise supports monitoring over UDP, but you should use TCP to send network data instead whenever possible. UDP is not desirable as a transport because, among other reasons, it does not guarantee delivery of network packets.

When you monitor TCP network ports, the user Splunk Enterprise runs as must have access to the port you want to monitor. On many Unix operating systems, by default, you must run Splunk Enterprise as the root user to listen directly on a port below 1024.


I downvoted this post because this does not actually answer the question whatsoever. Copying and pasting general information about TCP/UDP is zero helpful

The question was whether a HF can send via UDP.

0 Karma