I am working on a proof of concept but I am failing to see where security comes in regarding forwarders and receivers. I installed and configured a universal forwarder on a windows host. I configured a receiver on a Splunk Enterprise on premise server. I can't see any security on this at all. If a receiver is open, any host that can route to the enterprise server can just stream junk at it? How is this traffic filtered or authenticated? Control of which index the data is dumped to seems to be in forwarder configuration, so the server seems to not have any control of how that data gets routed? Does this mean any user who can reach my Splunk Enterprise server can spam any index it wants to without any form of authentication? How is this protected under best practices? I am confused.
... View more