Hello everyone! I'm working closely with my server team, and we are going to deploy a Heavy Forwarder on a cloud server. We're doing this so that we can manage our own tokens. We also have a Splunk department that is allowing me to be the knowledge object admin for our index.
That being said, I'm asking this question to verify that all my information is correct, and that I'm not doing something I shouldn't or adding something that's not relevant to my deployment. The Heavy Forwarder will **NOT** index anything. There will be nothing stored, and we do not wish to pre-cook any extractions before they arrive to the indexer.
The Heavy Forwarder will not have a large volume of traffic < 1GB / day. We only have a few applications interested in using our Heavy Forwarder, and those only roughly send 200KB / day. We deployed a test Heavy Forwarder using Ubuntu on a virtual box, and we able to successfully set it up as a forwarder. So, we wish to do that similar thing again but in the cloud.
Here are the ports that I listed for the server team:
- **8000**: Web Interface
- **8065**: Python
- **443** (instead of 8088): REST API event collection
- **8089**: Splunk Management Port
- **8191**: KV Store Port (MongoDB)
We're also going to deploy a minimal server (2 Core CPU + 4GB Ram). Is there anything I need to be aware of before going forth with this deployment? We are also going to be using SSL and using HTTPS. Should we also leave some additional ports open for Universal Forwarder / TCP & UDP access?
Thanks!
↧