Splunk Enterprise

internet server mapping

roopeshetty
Path Finder

Hi

 

We have Splunk Enterprise installed on a Windows computer which does not have direct access to the internet. To access the internet on that computer, usually we open a browser like Chrome or Edge then enter some required website (example : https:\\www.yahoomail.com) and press enter. Then a pop up will come on the browser which will ask us to enter the credentials. This popup will have our internet proxy server Url with port number that is https://myinternetserver01.mydomain.com:4443 and a option to enter username and password as attached in the screenshot. Once we enter the credentials it will allow us to browse any website on that computer until we log out from that computer. Due to this restrictions, we are unable to use some of the splunk add ons which requires internet connection. We tried many options using proxy settings but none of them are working.

 

Can some one please guide us where can we input this internet server URL, Port and credentials so that Splunk will have a direct connection to internet and we can use all spunk add on which needs internet.

roopeshetty_1-1733290565325.png

 

 

 

Labels (1)
0 Karma

victor_menezes
Communicator

Hi @roopeshetty ,
Can you elaborate more about what did you try already when you mentioned " We tried many options using proxy settings but none of them are working."?

 

Also, it is not sure if you are running in a standalone environment or a clustered one, and if the proxy configs you tried were in conf files or added via REST.

Check this documentation about some good example on how to configure proxy and non-proxy addresses, and make sure that you define the http/https_proxy correctly (use the same config mentioned in your browser for reference if that is using a direct proxy address instead of a auto-discovery script.)

Configure splunkd to use your HTTP Proxy Server - Splunk Documentation

Notice that you must pass the authentication in the URL if your proxy requires it. ( like http://user:pass@myproxy.com:80)

0 Karma

roopeshetty
Path Finder

We tried below confs

 

 

  • Navigate to $SPLUNK_HOME/etc/system/local/.

  • Edit (or create) server.conf

 

[general]
http_proxy = http://myinternetserver01.mydomain.com:4443
https_proxy = https://myinternetserver01.mydomain.com:4443
proxy_user = username
proxy_password = mysecurepassword

 

Also tried below conf

[general]
http_proxy = http://username:mysecurepassword@myinternetserver01.mydomain.com:4443
https_proxy = https://username:mysecurepassword@myinternetserver01.mydomain.com:4443

But both are not working.

 

 

0 Karma

victor_menezes
Communicator

Hi @roopeshetty ,

 

The proxy config should be in its own stanza, not the [general] one.

 

 

[proxyConfig]
http_proxy = <string that identifies the server proxy. When set, splunkd sends all HTTP requests through this proxy server. The default value is unset.> 

https_proxy = <string that identifies the server proxy. When set, splunkd sends all HTTPS requests through the proxy server defined here. If not set, splunkd uses the proxy defined in http_proxy. The default value is unset.>  

no_proxy = <string that identifies the no proxy rules. When set, splunkd uses the [no_proxy] rules to decide whether the proxy server needs to be bypassed for matching hosts and IP Addresses. Requests going to localhost/loopback address are not proxied. Default is "localhost, 127.0.0.1, ::1">

 

Once you make the changes and restart, run a btool to make sure the server is getting it correctly from your configset:

/<splunk_home>/bin/splunk btool server list --debug | grep proxy

All the configurations returned are the ones being used by the system, confirm if all your custom configs are here and if there are not overlays taking precedence over them.

 

0 Karma

isoutamo
SplunkTrust
SplunkTrust
You could write it like
“/<splunk_home>/bin/splunk btool server list --debug proxyConfig”
Which shows what this stanza gets from different conf files.
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In January, the Splunk Threat Research Team had one release of new security content via the Splunk ES Content ...

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

This month’s releases across the Splunk Observability portfolio deliver earlier detection and faster ...