We have a Splunk Enterprise installed in a DMZ with strict firewall rules about how to communicate with our index array. When I set up forwarding on the outputs.conf, I designated our Indexer IPs and port 9997.
[tcpout:default-autolb-group]
disabled = false
server = IP1:9997, IP2:9997, IP3:9997, IP4:9997
Forwarding isn't working, though. When I check the ports with the "lsof -i -P -n" command, I see that the Heavy Forwarder tries to talk to IP1 over random ports
splunkd 31931 root 61u IPv4 570678 0t0 TCP [Heavy Forwarder]:41464->[IP2]:9997 (SYN_SENT)
Can I force the outbound SYN to go over port 9997?
... View more