SOCKS proxy Default Port
This topic discusses how to configure a forwarder with a Socket Secure version 5 (SOCKS5) proxy server as a target with the intent of forwarding data to an indexer beyond the proxy server.
By default, a Splunk forwarder requires a direct network connection to any receiving indexers. If a firewall blocks connectivity between the forwarder and the indexer, the forwarder cannot send data to the indexer.
Starting with version 6.3 of Splunk Enterprise, you can configure a forwarder to use a SOCKS5 proxy host to send data to an indexer. You can do this by specifying attributes in a stanza in the outputs.conf configuration file on the forwarder. After you configure and restart the forwarder, it connects to the SOCKS5 proxy host, and optionally authenticates to the server on demand if you provide credentials. The proxy host establishes a connection to the indexer and the forwarder begins sending data through the proxy connection.
Any type of Splunk forwarder can send data through a SOCKS5 proxy host.
This implementation of the SOCKS5 client complies with the Internet Engineering Task Force (IETF) Request for Comments (RFC) Memo #1928. For information on this memo, see "Network Working Group: Request for Comments: 1928" on the IETF website.
To configure a SOCKS5 proxy connection, edit stanzas in outputs.conf and specify certain attributes to enable the proxy. For a list of valid proxy attributes, see "Proxy configuration values." You cannot configure proxy servers in Splunk Web.
Configure a SOCKS5 proxy connection with configuration files
1. Make a copy of $SPLUNK_HOME/etc/system/default/outputs.conf and place it into $SPLUNK_HOME/etc/system/local.
2. Open $SPLUNK_HOME/etc/system/local/outputs.conf for editing.
3. Define forwarding servers or output groups in outputs.conf by creating [tcpout] or [tcpout-server] stanzas. See "Configure forwarders with outputs.conf."
4. In the stanza for connections that should have SOCKS5 proxy support, add attributes for SOCKS that fit your proxy configuration. You must specify at least the socksServer attribute to enable proxy support.
5. Save the file and close it.
6. Restart the forwarder.
7. On the receiving indexer, user the Search and Reporting app to confirm that the indexer received the data.
Proxy configuration values
Use the following attributes to configure SOCKS5 on the forwarder:
|socksServer||Tells the forwarder the host name or IP address and port of the SOCKS5 proxy it should connect to for forwarding data.
You can specify one of host:port or IP address:port. You must specify both the host name or the IP address and the port. You must specify this attribute to enable SOCKS5 support.
|socksUsername||(Optional) Tells the forwarder to use this username to authenticate to the SOCKS5 proxy host if it demands authentication during the connection phase.|
|socksPassword||(Optional) Tells the forwarder to provide this password when authenticating into a SOCKS5 proxy host that demands authentication during the connection phase.
The forwarder obfuscates this password when it loads the configuration that is associated with the stanza. However, there are some security considerations. See "Security considerations".
|socksResolveDNS||(Optional) Tells the forwarder whether or not it should use DNS to resolve the host names of indexers in the output group before passing that information on to the SOCKS5 proxy host.
When you set this attribute to true, the forwarder sends the name of the indexers to the SOCKS5 proxy host as is, and the SOCKS5 proxy host must then resolve the indexer host names through DNS. Set to true if, for example, the forwarder and the proxy server are on different networks served by different DNS servers.
When you set it to false, the forwarder attempts to resolve the indexer host names through DNS itself, and if it is successful, sends the resolved IP addresses of the indexers to the SOCKS5 proxy host.
This attribute only applies if you specify host names for indexers in the [tcpout] or [tcpout-server] stanzas. If you specify IP addresses, DNS resolution does not happen.
Examples of SOCKS5 support
Here are some examples of outputs.conf stanzas with SOCKS5 proxy support enabled: