Splunk® Enterprise

Forwarding Data

Acrobat logo Download manual as PDF


Splunk Enterprise version 7.0 is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
Acrobat logo Download topic as PDF

Configure a forwarder to use a SOCKS proxy

This topic discusses how to configure a forwarder with a Socket Secure version 5 (SOCKS5) proxy server as a target with the intent of forwarding data to an indexer beyond the proxy server.

By default, a Splunk forwarder requires a direct network connection to any receiving indexers. If a firewall blocks connectivity between the forwarder and the indexer, the forwarder cannot send data to the indexer.

Starting with version 6.3 of Splunk Enterprise, you can configure a forwarder to use a SOCKS5 proxy host to send data to an indexer. You can do this by specifying attributes in a stanza in the outputs.conf configuration file on the forwarder. After you configure and restart the forwarder, it connects to the SOCKS5 proxy host, and optionally authenticates to the server on demand if you provide credentials. The proxy host establishes a connection to the indexer and the forwarder begins sending data through the proxy connection.

Any type of Splunk forwarder can send data through a SOCKS5 proxy host.

This implementation of the SOCKS5 client complies with the Internet Engineering Task Force (IETF) Request for Comments (RFC) Memo #1928. For information on this memo, see "Network Working Group: Request for Comments: 1928" (http://www.ietf.org/rfc/rfc1928.txt) on the IETF website.

To configure a SOCKS5 proxy connection, edit stanzas in outputs.conf and specify certain attributes to enable the proxy. For a list of valid proxy attributes, see "Proxy configuration values." You cannot configure proxy servers in Splunk Web.

Configure a SOCKS5 proxy connection with configuration files

1. Make a copy of $SPLUNK_HOME/etc/system/default/outputs.conf and place it into $SPLUNK_HOME/etc/system/local.

2. Open $SPLUNK_HOME/etc/system/local/outputs.conf for editing.

3. Define forwarding servers or output groups in outputs.conf by creating [tcpout] or [tcpout-server] stanzas. See "Configure forwarders with outputs.conf."

4. In the stanza for connections that should have SOCKS5 proxy support, add attributes for SOCKS that fit your proxy configuration. You must specify at least the socksServer attribute to enable proxy support.

5. Save the file and close it.

6. Restart the forwarder.

7. On the receiving indexer, user the Search and Reporting app to confirm that the indexer received the data.

Proxy configuration values

Use the following attributes to configure SOCKS5 on the forwarder:

Attribute Description Default
socksServer Tells the forwarder the host name or IP address and port of the SOCKS5 proxy it should connect to for forwarding data.

You can specify one of host:port or IP address:port. You must specify both the host name or the IP address and the port. You must specify this attribute to enable SOCKS5 support.

N/A
socksUsername (Optional) Tells the forwarder to use this username to authenticate to the SOCKS5 proxy host if it demands authentication during the connection phase. N/A
socksPassword (Optional) Tells the forwarder to provide this password when authenticating into a SOCKS5 proxy host that demands authentication during the connection phase.

The forwarder obfuscates this password when it loads the configuration that is associated with the stanza. However, there are some security considerations. See "Security considerations".

N/A
socksResolveDNS (Optional) Tells the forwarder whether or not it should use DNS to resolve the host names of indexers in the output group before passing that information on to the SOCKS5 proxy host.

When you set this attribute to true, the forwarder sends the name of the indexers to the SOCKS5 proxy host as is, and the SOCKS5 proxy host must then resolve the indexer host names through DNS. Set to true if, for example, the forwarder and the proxy server are on different networks served by different DNS servers.

When you set it to false, the forwarder attempts to resolve the indexer host names through DNS itself, and if it is successful, sends the resolved IP addresses of the indexers to the SOCKS5 proxy host.

This attribute only applies if you specify host names for indexers in the [tcpout] or [tcpout-server] stanzas. If you specify IP addresses, DNS resolution does not happen.

false

Examples of SOCKS5 support

Here are some examples of outputs.conf stanzas with SOCKS5 proxy support enabled:

This example establishes a connection to a SOCKS5 proxy host that forwards the data to indexers beyond the host:

[tcpout]
defaultGroup = proxy_indexers

[tcpout:proxy_indexers]
server = indexer1.slapstick.com:9997, indexer2.slapstick.com:9997
socksServer = prx.slapstick.com:1080

This example uses credentials to authenticate into the proxy host before attempting to send data, and tells the proxy host to resolve DNS to determine the indexers to connect for sending data:

[tcpout]
defaultGroup = socksCredentials

[tcpout:socksCredentials]
server = indexer3.slapstick.com:9997
socksServer = prx.slapstick.com:1081
socksUsername = proxysrv
socksPassword = letmein
socksResolveDNS = true

Security considerations

Note the following caveats when using this feature:

  • SOCKS5 proxy support only exists between the forwarder and the indexer inclusive. There is no support for the usage of SOCKS with any other Splunk features, apps, or add-ons.
  • The SOCKS5 protocol sends authentication credentials in clear text. Due to this implementation, these credentials are vulnerable to a man-in-the-middle attacker. This means that an attacker can secretly relay and possibly change communication between the SOCKS client and the SOCKS proxy host. This is a caveat of the SOCKS protocol, not the implementation of this feature in Splunk software.
  • For the most secure results, use the SOCKS attributes only on forwarders which are inside networks that a SOCKS proxy host protects. Deploying a forwarder in an unprotected environment can result in the interception of SOCKS credentials by a third party, even though the forwarder has SOCKS proxy support enabled.
Last modified on 23 September, 2016
PREVIOUS
Set up load balancing
  NEXT
Configure an intermediate forwarder

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.6, 8.0.10, 7.2.10, 7.0.1, 8.0.5, 8.0.8, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.2.0, 9.2.1, 8.0.7, 8.0.9, 8.1.0


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters