I appreciate the answer provided by ddrillic, but this question addresses a specific security implementation we may be forced to live with, whereby no outbound traffic, not even TCP acknowledgments, would be permitted. I don't know if anyone out there has been faced with this constraint. I know Splunk can listen UDP/TCP, but I want it to send UDP through the one-way. Yes, if we detect a gap in events due to the one-way going down, my thought was to have the sending heavy forwarder resend events from the index. The idea is that we would treat the index as a buffer.
... View more