Configure a forwarder to use a SOCKS proxy
You can configure a forwarder with a Socket Secure version 5 (SOCKS5) proxy server as a target with the intent of forwarding data to an indexer beyond the proxy server.
By default, a Splunk forwarder requires a direct network connection to any receiving indexers. If a firewall blocks connectivity between the forwarder and the indexer, the forwarder cannot send data to the indexer.
You can configure a forwarder to use a SOCKS5 proxy host to send data to an indexer by specifying attributes in a stanza in the
outputs.conf configuration file on the forwarder. After you configure and restart the forwarder, it connects to the SOCKS5 proxy host, and optionally authenticates to the server on demand if you provide credentials. The proxy host establishes a connection to the indexer and the forwarder begins sending data through the proxy connection.
Any type of Splunk forwarder can send data through a SOCKS5 proxy host.
This implementation of the SOCKS5 client complies with the Internet Engineering Task Force (IETF) Request for Comments (RFC) Memo #1928. See "Network Working Group: Request for Comments: 1928" (http://www.ietf.org/rfc/rfc1928.txt) on the IETF website.
When you use the SOCKS5 proxy feature on a universal forwarder, note the following security considerations:
- SOCKS5 proxy support only exists between the forwarder and the indexer inclusive. There is no support for the usage of SOCKS with any other Splunk features, apps, or add-ons.
- The SOCKS5 protocol sends authentication credentials in clear text. Due to this implementation, these credentials are vulnerable to a man-in-the-middle attacker. This means that an attacker can secretly relay and possibly change communication between the SOCKS client and the SOCKS proxy host. This is a caveat of the SOCKS protocol, not the implementation of this feature in Splunk software.
- For the most secure results, use the SOCKS attributes only on forwarders which are inside networks that a SOCKS proxy host protects. Deploying a forwarder in an unprotected environment can result in the interception of SOCKS credentials by a third party, even though the forwarder has SOCKS proxy support enabled.
Configure a SOCKS5 proxy connection with configuration files
To configure a SOCKS5 proxy connection, edit stanzas in
outputs.conf and specify certain attributes to enable the proxy. For a list of valid proxy attributes, see Proxy configuration values. You cannot configure proxy servers in Splunk Web.
$SPLUNK_HOME/etc/system/local/outputs.conf for editing.
2. Define forwarding servers or output groups in
outputs.conf by creating
3. In the stanza for connections that should have SOCKS5 proxy support, add attributes for SOCKS that fit your proxy configuration. Specify at least the
socksServer attribute to enable proxy support.
4. Save the file and close it.
5. Restart the forwarder.
6. On the receiving indexer, user the Search and Reporting app to confirm that the indexer received the data.
Proxy configuration values
Use the following attributes to configure SOCKS5 on the forwarder:
||Specify the host name or IP address and port of the SOCKS5 proxy it should connect to for forwarding data.
Specify one of
||(Optional) Specifies the username to authenticate to the SOCKS5 proxy host if it demands authentication during the connection phase.||N/A|
||(Optional) Specifies the password when authenticating into a SOCKS5 proxy host that demands authentication during the connection phase.
The forwarder obfuscates this password when it loads the configuration that is associated with the stanza.
||(Optional) Specify whether or not the forwarder should use DNS to resolve the host names of indexers in the output group before passing that information on to the SOCKS5 proxy host.
When you set this attribute to
When you set it to
This attribute only applies if you specify host names for indexers in the
Examples of SOCKS5 support
Here are some examples of
outputs.conf stanzas with SOCKS5 proxy support enabled:
This example establishes a connection to a SOCKS5 proxy host that forwards the data to indexers beyond the host:
[tcpout] defaultGroup = proxy_indexers [tcpout:proxy_indexers] server = indexer1.slapstick.com:9997, indexer2.slapstick.com:9997 socksServer = prx.slapstick.com:1080
This example uses credentials to authenticate into the proxy host before attempting to send data, and tells the proxy host to resolve DNS to determine the indexers to connect for sending data:
[tcpout] defaultGroup = socksCredentials [tcpout:socksCredentials] server = indexer3.slapstick.com:9997 socksServer = prx.slapstick.com:1081 socksUsername = proxysrv socksPassword = letmein socksResolveDNS = true
Configure load balancing for Splunk Enterprise
Configure an intermediate forwarder
This documentation applies to the following versions of Splunk® Universal Forwarder: 188.8.131.52, 8.2.4, 8.2.5
Feedback submitted, thanks!