I am trying to setup our Splunk architecture to be able to receive events from clients/workstations outside our local network. The simplest solution is just making the main indexer externally accessible, but we don't want to do that. Is there a way to setup a Heavy Forwarder like a proxy to receive events from external clients and then send them to the main indexer? I haven't been able to find anything related to this when I try to research.
Thanks.
Yes, you could set up a HF and make it accessible to external clients. This is a common way to handle situations like this. The HF is like a DMZ in that outsiders can connect to it, but the network only allows traffic from the HF to reach the indexers.
BTW, there's no such thing as a "main indexer" in Splunk. Indexers are referred to as "search peers" because they're all equal.