For ease of deployment, the nf configuration file is packaged in a Splunk application and deployed to the laptop to enable data forwarding via HTTP. We have installed the Universal Forwarder on one of our laptops and created the following configuration within the nf file.
SPLUNK UNIVERSAL FORWARDER INPUTS.CONF INSTALL
The last step is to install Splunk Universal Forwarder on the roaming user’s laptop and configure HTTP Out using the new httpout stanza in nf. Step 3: Configure The Universal Forwarder The AWS Application Load Balancer provides a DNS A record which we will be using in the Universal Forwarder outputs configuration. The Load Balancer has a listener created for receiving connection requests on port 443 and forwards them to the Splunk Indexer on port 8088 (the default port used for HEC). For this use case, we have created an Application Load Balancer in AWS. HTTP Out on the Splunk Universal Forwarder supports Network Load Balancers and Application Load Balancers.
The next thing we need is a Load Balancer which is Internet facing. Detailed steps for enabling HEC and creating a token can be found on the Splunk Documentation site here. On our Splunk Indexers we have already configured the HTTP Event Collector (HEC) and created a token for receiving data from the Universal Forwarder. Laptop with the Splunk Universal Forwarder (8.1.0).Splunk environment in AWS with 2 Indexers and 1 Search Head.Let’s take a look at how we can use the HTTP Out feature of the Splunk Universal Forwarder to transmit data from the laptop of a roaming user, or generally a device outside of our corporate perimeter, which is an occurrence that has become more and more common with the shift to work from home during the pandemic.įor the purpose of this demonstration, we will be working with the following environment configuration: HTTP Out now allows the Universal Forwarder to make use of a standard protocol and port (443), which is generally open and trusted, for outgoing traffic. Typically in these situations it would require more complex network configuration, or network traffic exceptions, to support traditional S2S for the connection from the Universal Forwarder to the Indexers. Where the new HTTP Out feature is especially useful is in scenarios such as collecting data from systems in an edge location or collecting data from a roaming user’s device. To date, this is a practice which has not been recommended, or supported, for traditional S2S based data forwarding. Additionally, this now enables the use of a 3rd party load-balancer between Universal Forwarders and Splunk Receivers. What this feature does is effectively encapsulates the S2S message within a HTTP payload. Using the ‘HTTP Out Sender for Universal Forwarder’ it can now send data to a Splunk Indexer using HTTP. Traditionally, a Splunk Universal Forwarder uses the proprietary Splunk-to-Splunk (S2S) protocol for communicating with the Indexers. The release of version 8.1.0 of the Splunk Universal Forwarder introduced a brand new feature to support sending data over HTTP.
0 kommentar(er)
