I 'm new to Splunk, but I need some answers pretty fast. We are invited to insource Infrastructure monitoring and control from a high secure environment. As we are outside customers domain, obviously the dashboard runs on servers outside customers infrastructure. Of course there needs to be communications between agents running in the infrastructure and the dashboard to upload events and monitoring data.
However, it is absolutely a requirement from customer there is NO traffic from the dashboad to the agents on his infrastructure. Upload of data is no problem, but any packet downstream will be blocked. Even "keep alive" traffic.
Is anyone experienced to give me an answer on this?
It depends on what level you're considering the traffic.
You can have your UF-s just pushing data to the HF's/indexers outside of the "secure" environment so that all connections are initiated from within that environment towards outside. But these are still TCP connections so packets go both ways.
If you want to have a "diode" between the environments you'd have to employ some form of stateless connectionless event forwarding. What fulfills those requirements? Some UDP-based protocol. Of course the obvious choice here is syslog over UDP.
You're of course limited with the packet size but that's pretty much the only reasonable choice that you have if you want to have purely "outwards only" communication.
The dashboard will run the search in the indexer, that is the data transferred to the Splunk indexer from the agent.
But there will be some data transfer from the Splunk Enterprise to the Agent (UF). The will be some instructions send from Splunk to the agent via 8089 port.
Apart from this, there will not be any downstream packet transfer between this two.