Let’s take a look at how we can use the HTTP Out feature of the Splunk Universal Forwarder to transmit data from the laptop of a roaming user, or generally a device outside of our corporate perimeter, which is an occurrence that has become more and more common with the shift to work from home during the pandemic.įor the purpose of this demonstration, we will be working with the following environment configuration: HTTP Out now allows the Universal Forwarder to make use of a standard protocol and port (443), which is generally open and trusted, for outgoing traffic. Typically in these situations it would require more complex network configuration, or network traffic exceptions, to support traditional S2S for the connection from the Universal Forwarder to the Indexers. Where the new HTTP Out feature is especially useful is in scenarios such as collecting data from systems in an edge location or collecting data from a roaming user’s device. To date, this is a practice which has not been recommended, or supported, for traditional S2S based data forwarding. Additionally, this now enables the use of a 3rd party load-balancer between Universal Forwarders and Splunk Receivers. What this feature does is effectively encapsulates the S2S message within a HTTP payload. Using the ‘HTTP Out Sender for Universal Forwarder’ it can now send data to a Splunk Indexer using HTTP.
Traditionally, a Splunk Universal Forwarder uses the proprietary Splunk-to-Splunk (S2S) protocol for communicating with the Indexers. The release of version 8.1.0 of the Splunk Universal Forwarder introduced a brand new feature to support sending data over HTTP.
0 kommentar(er)
