Splunk® Universal Forwarder

Forwarder Manual

This documentation does not apply to the most recent version of Splunk® Universal Forwarder. For documentation on the most recent version, go to the latest release.

Configure a forwarder to use a SOCKS proxy

You can configure a forwarder with a Socket Secure version 5 (SOCKS5) proxy server as a target with the intent of forwarding data to an indexer beyond the proxy server.

By default, a Splunk forwarder requires a direct network connection to any receiving indexers. If a firewall blocks connectivity between the forwarder and the indexer, the forwarder cannot send data to the indexer.

You can configure a forwarder to use a SOCKS5 proxy host to send data to an indexer by specifying attributes in a stanza in the outputs.conf configuration file on the forwarder. After you configure and restart the forwarder, it connects to the SOCKS5 proxy host, and optionally authenticates to the server on demand if you provide credentials. The proxy host establishes a connection to the indexer and the forwarder begins sending data through the proxy connection.

Any type of Splunk forwarder can send data through a SOCKS5 proxy host.

This implementation of the SOCKS5 client complies with the Internet Engineering Task Force (IETF) Request for Comments (RFC) Memo #1928. See "Network Working Group: Request for Comments: 1928" (http://www.ietf.org/rfc/rfc1928.txt) on the IETF website.

Security considerations

When you use the SOCKS5 proxy feature on a universal forwarder, note the following security considerations:

  • SOCKS5 proxy support only exists between the forwarder and the indexer inclusive. There is no support for the usage of SOCKS with any other Splunk features, apps, or add-ons.
  • The SOCKS5 protocol sends authentication credentials in clear text. Due to this implementation, these credentials are vulnerable to a man-in-the-middle attacker. This means that an attacker can secretly relay and possibly change communication between the SOCKS client and the SOCKS proxy host. This is a caveat of the SOCKS protocol, not the implementation of this feature in Splunk software.
  • For the most secure results, use the SOCKS attributes only on forwarders which are inside networks that a SOCKS proxy host protects. Deploying a forwarder in an unprotected environment can result in the interception of SOCKS credentials by a third party, even though the forwarder has SOCKS proxy support enabled.

Configure a SOCKS5 proxy connection with configuration files

To configure a SOCKS5 proxy connection, edit stanzas in outputs.conf and specify certain attributes to enable the proxy. For a list of valid proxy attributes, see Proxy configuration values. You cannot configure proxy servers in Splunk Web.

1. Open $SPLUNK_HOME/etc/system/local/outputs.conf for editing.

2. Define forwarding servers or output groups in outputs.conf by creating [tcpout] or [tcpout-server] stanzas.

3. In the stanza for connections that should have SOCKS5 proxy support, add attributes for SOCKS that fit your proxy configuration. Specify at least the socksServer attribute to enable proxy support.

4. Save the file and close it.

5. Restart the forwarder.

6. On the receiving indexer, user the Search and Reporting app to confirm that the indexer received the data.

Proxy configuration values

Use the following attributes to configure SOCKS5 on the forwarder:

Attribute Description Default
socksServer Specify the host name or IP address and port of the SOCKS5 proxy it should connect to for forwarding data.

Specify one of host:port or IP address:port. Specify both the host name or the IP address and the port. You must specify this attribute to enable SOCKS5 support.

N/A
socksUsername (Optional) Specifies the username to authenticate to the SOCKS5 proxy host if it demands authentication during the connection phase. N/A
socksPassword (Optional) Specifies the password when authenticating into a SOCKS5 proxy host that demands authentication during the connection phase.

The forwarder obfuscates this password when it loads the configuration that is associated with the stanza.

N/A
socksResolveDNS (Optional) Specify whether or not the forwarder should use DNS to resolve the host names of indexers in the output group before passing that information on to the SOCKS5 proxy host.

When you set this attribute to true, the forwarder sends the name of the indexers to the SOCKS5 proxy host as is, and the SOCKS5 proxy host must then resolve the indexer host names through DNS. Set to true if, for example, the forwarder and the proxy server are on different networks served by different DNS servers.

When you set it to false, the forwarder attempts to resolve the indexer host names through DNS itself, and if it is successful, sends the resolved IP addresses of the indexers to the SOCKS5 proxy host.

This attribute only applies if you specify host names for indexers in the [tcpout] or [tcpout-server] stanzas. If you specify IP addresses, DNS resolution does not happen.

false

Examples of SOCKS5 support

Here are some examples of outputs.conf stanzas with SOCKS5 proxy support enabled:

This example establishes a connection to a SOCKS5 proxy host that forwards the data to indexers beyond the host:

[tcpout]
defaultGroup = proxy_indexers

[tcpout:proxy_indexers]
server = indexer1.slapstick.com:9997, indexer2.slapstick.com:9997
socksServer = prx.slapstick.com:1080

This example uses credentials to authenticate into the proxy host before attempting to send data, and tells the proxy host to resolve DNS to determine the indexers to connect for sending data:

[tcpout]
defaultGroup = socksCredentials

[tcpout:socksCredentials]
server = indexer3.slapstick.com:9997
socksServer = prx.slapstick.com:1081
socksUsername = proxysrv
socksPassword = letmein
socksResolveDNS = true
Last modified on 01 December, 2021
Configure load balancing for Splunk Enterprise   Configure an intermediate forwarder

This documentation applies to the following versions of Splunk® Universal Forwarder: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters