0

I currently have a server in my home lab running Splunk, really love it. I'm soon going to have another server in the EC2 cloud, and I'd love to be able to monitor that using Splunk, hopefully though the primary Splunk server I already have setup.

Now, I don't plan on having a VPN connection set up between the two servers, I don't have the proper hardware to allow that currently sadly. So, what would be the best way to feed data from my remote EC2 server to my local one?

Skyhawk
  • 14,149
  • 3
  • 52
  • 95
Chiggins
  • 791
  • 7
  • 20
  • 37
  • Getting a VPN set up doesn't require any special hardware - check out OpenVPN. – EEAA Jan 31 '12 at 20:51
  • @ErikA - Each time I've used OpenVPN with EC2, the EC2 instance totally loses t's network connection and I'm unable to access it, even after reboots. – Chiggins Jan 31 '12 at 20:55
  • That's a configuration issue. Do a test install locally in a linux server running in virtualbox. – EEAA Jan 31 '12 at 20:58
  • @ErikA - I'll try that when I get home later. – Chiggins Jan 31 '12 at 21:00

1 Answers1

3

Splunk's native event forwarding protocol can run over SSL; if you're able to allow a TCP connection from the EC2 node back to your primary indexer, then that method should cover your needs without a lot of extra effort.

Shane Madden
  • 112,982
  • 12
  • 174
  • 248
  • So I'd be able to transmit over SSL, without needing a VPN? Would I have to create my own certs or would Splunk do that for me? – Chiggins Jan 31 '12 at 22:51
  • Right - I believe it does generate a cert on the indexer by default; not sure about the forwarder (assuming that you use the universal forwarder agent install).. you may need to generate one for that. – Shane Madden Jan 31 '12 at 22:57