We have purchased Splunk Cloud recently. We couldn’t send any logs to Splunk Cloud as ports are blocked. Could you please answer for below questions:
Thanks for the details.
2. Should the source be Deployment Server and destination is UF's and HF's or require two way?
3. Syslog server will be managed by Server Ops, we want to set any filtering on Splunk HF which Splunk team manage. So, I think I can install UF on syslog server and forward it to HF for any filtering (props)?
4. Sounds good.
5. Any official document mentioning about encryption. It will be helpful to send to Security Operations. As we are sending data through internet, should we enable anything for encryption.
On #1 - You need to use the Splunk Cloud Forwarder App in addition to the standard Splunk UF bits to ensure the data makes it your Cloud deployment. See this for details- https://docs.splunk.com/Documentation/Forwarder/7.2.5/Forwarder/HowtoforwarddatatoSplunkCloud. The credentials package ensure data is delivered compressed and encrypted. See this for #5 - https://docs.splunk.com/Documentation/SplunkCloud/7.2.4/Service/SplunkCloudservice#Additional_inform...
On #2 the Deployment Clients (UFs, IFs and HFs - in your case) phone home to the Deployment Server. the DS setup for Splunk Cloud is same as on-prem if you've had experience with the before. In either case, see this link for more details - https://docs.splunk.com/Documentation/Splunk/7.2.5/Updating/Aboutdeploymentserver