Splunk Cloud Migration

The Log Management team is transitioning to **Splunk Cloud on a to be determined date*.

This transition means Splunk Forwarders will begin sending data to Splunk Cloud rather than the current on-premises infrastructure. Additionally, this means shortcuts such as https://sh-c1-1.portal.infosec.ohio-state.edu/splunk or https://portal.infosec.ohio-state.edu/sem will not work. Please use https://go.osu.edu/splunk.

Following the migration date, emailed Splunk alerts will originate from the "alerts@splunkcloud.com” email address, please consider updating any Outlook rules you may have used previously for "cio-sem-admin@osu.edu".

For any questions or concerns, please email otdi-logsupport@osu.edu.

Action Needed

Networking Changes

If you have Splunk forwarders or HECs deployed in your environment that do not have outbound access, please make the following changes to your firewalls:

1. Forwarder ingestion:
   • Action: Allow
   • Destination IPs: 52.20.208.232, 13.216.131.231, 34.231.216.90
   • Destination FQDNs: inputs[1-15].osu.splunkcloud.com
   • Protocol: TCP
   • Port(s): 9997
2. HEC ingestion:
   • Action: Allow
   • Destination IPs: 13.222.48.142, 34.236.83.232, 34.196.17.253
   • Destination FQDNs:
     • JSON-formatted events: https://http-inputs-osu.splunkcloud.com:443/services/collector/event
     • Raw events: https://http-inputs-osu.splunkcloud.com:443/services/collector/raw
   • Protocol: TCP
   • Port(s): 443
3. API/Management:
   • Action: Allow
   • Destination IPs: 3.210.129.179, 34.230.146.78, 3.209.185.131
   • Destination FQDNs: https://osu.splunkcloud.com
   • Protocol: TCP
   • Port(s): 8089

Forwarder Upgrades

As part of the transition, please review the version of the Splunk Universal Forwarder running on your systems. Forwarders older than 9.x will need to be upgraded.

The Log Management team will contact units that require upgrades. If your unit is not contacted, no action is required — though upgrading to the latest version provided is still encouraged.

You can find the list of forwarders via the OneDrive links below. Additionally, instructions to upgrade can be found in the job aid Upgrading the Forwarder.

For all currently supported operating systems, please upgrade your forwarder to 9.4:

• AMD64: splunkforwarder-9.4.4-linux-amd64.deb
• x86_64: splunkforwarder-9.4.4.x86_64.rpm
• Windows: splunkforwarder-9.4.4-windows-x64.msi

If you cannot upgrade to 9.4, please reach out to the Log Management team for alternatives.

Searching

On the cutover date, logs will begin to flow to Splunk Cloud. Data ingested prior to the transition will remain accessible, and a feature will be available to search historical data from the existing on-premises environment. As the migration date approaches, the Log Management team will provide additional details and guidance.