UF remote to on-prem Splunk Enterprise best practi...

mikefg · ‎07-29-2021

We have several remote and traveling systems that we need to forward logs from to our on-prem Spunk environment. Splunk Cloud is not an option.

Are there any best practices for system config or architecture?

Is it possible to use a reverse proxy for inbound connections to the deployment server?

Should the reverse proxy have a splunk UF or should an intermediate HF be used to forward to the indexer tier?

richgalloway · ‎07-29-2021

Not sure if it's a "best practice", but consider putting 2 or more HFs in a DMZ. The UFs forward to them which forward to the indexers. Use a SSL certificate to keep out unwanted traffic to the HFs.

---
If this reply helps you, Karma would be appreciated.

mikefg · ‎07-30-2021

Thanks. We also have some potential options for collecting logs when connected to our VPN.

Last I looked I don't recall options for local log storage on a UF (only buffer and queue) to be uploaded when connected to a VPN, is this still the case?

richgalloway · ‎07-30-2021

AFAIK, queueing within the UF hasn't changed.

---
If this reply helps you, Karma would be appreciated.

UF remote to on-prem Splunk Enterprise best practices

universal forwarder

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?