Configure a forwarder to use a SOCKS proxy
This topic discusses how to configure a forwarder with a Socket Secure version 5 (SOCKS5) proxy server as a target with the intent of forwarding data to an indexer beyond the proxy server.
By default, a Splunk forwarder requires a direct network connection to any receiving indexers. If a firewall blocks connectivity between the forwarder and the indexer, the forwarder cannot send data to the indexer.
Starting with version 6.3 of Splunk Enterprise, you can configure a forwarder to use a SOCKS5 proxy host to send data to an indexer. You can do this by specifying attributes in a stanza in the
outputs.conf configuration file on the forwarder. After you configure and restart the forwarder, it connects to the SOCKS5 proxy host, and optionally authenticates to the server on demand if you provide credentials. The proxy host establishes a connection to the indexer and the forwarder begins sending data through the proxy connection.
Any type of Splunk forwarder can send data through a SOCKS5 proxy host.
This implementation of the SOCKS5 client complies with the Internet Engineering Task Force (IETF) Request for Comments (RFC) Memo #1928. For information on this memo, see "Network Working Group: Request for Comments: 1928" (http://www.ietf.org/rfc/rfc1928.txt) on the IETF website.
To configure a SOCKS5 proxy connection, edit stanzas in
outputs.conf and specify certain attributes to enable the proxy. For a list of valid proxy attributes, see "Proxy configuration values." You cannot configure proxy servers in Splunk Web.
Configure a SOCKS5 proxy connection with configuration files
1. Make a copy of
$SPLUNK_HOME/etc/system/default/outputs.conf and place it into $SPLUNK_HOME/etc/system/local.
$SPLUNK_HOME/etc/system/local/outputs.conf for editing.
3. Define forwarding servers or output groups in
outputs.conf by creating
[tcpout-server] stanzas. See "Configure forwarders with outputs.conf."
4. In the stanza for connections that should have SOCKS5 proxy support, add attributes for SOCKS that fit your proxy configuration. You must specify at least the
socksServer attribute to enable proxy support.
5. Save the file and close it.
6. Restart the forwarder.
7. On the receiving indexer, user the Search and Reporting app to confirm that the indexer received the data.
Proxy configuration values
Use the following attributes to configure SOCKS5 on the forwarder:
||Tells the forwarder the host name or IP address and port of the SOCKS5 proxy it should connect to for forwarding data.
You can specify one of
||(Optional) Tells the forwarder to use this username to authenticate to the SOCKS5 proxy host if it demands authentication during the connection phase.||N/A|
||(Optional) Tells the forwarder to provide this password when authenticating into a SOCKS5 proxy host that demands authentication during the connection phase.
The forwarder obfuscates this password when it loads the configuration that is associated with the stanza. However, there are some security considerations. See "Security considerations".
||(Optional) Tells the forwarder whether or not it should use DNS to resolve the host names of indexers in the output group before passing that information on to the SOCKS5 proxy host.
When you set this attribute to
When you set it to
This attribute only applies if you specify host names for indexers in the
Examples of SOCKS5 support
Here are some examples of
outputs.conf stanzas with SOCKS5 proxy support enabled:
This example establishes a connection to a SOCKS5 proxy host that forwards the data to indexers beyond the host:
[tcpout] defaultGroup = proxy_indexers [tcpout:proxy_indexers] server = indexer1.slapstick.com:9997, indexer2.slapstick.com:9997 socksServer = prx.slapstick.com:1080
This example uses credentials to authenticate into the proxy host before attempting to send data, and tells the proxy host to resolve DNS to determine the indexers to connect for sending data:
[tcpout] defaultGroup = socksCredentials [tcpout:socksCredentials] server = indexer3.slapstick.com:9997 socksServer = prx.slapstick.com:1081 socksUsername = proxysrv socksPassword = letmein socksResolveDNS = true
Note the following caveats when using this feature:
- SOCKS5 proxy support only exists between the forwarder and the indexer inclusive. There is no support for the usage of SOCKS with any other Splunk features, apps, or add-ons.
- The SOCKS5 protocol sends authentication credentials in clear text. Due to this implementation, these credentials are vulnerable to a man-in-the-middle attacker. This means that an attacker can secretly relay and possibly change communication between the SOCKS client and the SOCKS proxy host. This is a caveat of the SOCKS protocol, not the implementation of this feature in Splunk software.
- For the most secure results, use the SOCKS attributes only on forwarders which are inside networks that a SOCKS proxy host protects. Deploying a forwarder in an unprotected environment can result in the interception of SOCKS credentials by a third party, even though the forwarder has SOCKS proxy support enabled.
Set up load balancing
Configure an intermediate forwarder
This documentation applies to the following versions of Splunk Cloud Platform™: 8.2.2106, 8.2.2112, 8.2.2201, 8.2.2202, 8.2.2203, 9.0.2205, 9.0.2208, 9.0.2209 (latest FedRAMP release)
Feedback submitted, thanks!