topic Re: Verifying Secure Communication between forwarders and indexers in Security

Verifying Secure Communication between forwarders and indexers

anoopdi — Wed, 30 Sep 2020 01:45:00 GMT

I recently enabled SSL connection between forwarders and indexers. When I check the metrics log for a UF with SSL enabled , i see this in the data. The connection type is showing as cookedSSL but ssl=fasle. Does that mean the connection is not secure? And the surprising part is, i see events in metrics.log for the same host with ssl=true entries. I am confused.

08-15-2019 16:10:56.061 +0000 INFO Metrics - group=tcpin_connections, xx.zz.yy.xx:52306:9997, connectionType=cookedSSL, sourcePort=52306, sourceHost=10.176.240.50, sourceIp=10.176.240.50, destPort=9997, kb=0.33, _tcp_Bps=10.97, _tcp_KBps=0.01, _tcp_avg_thruput=1.19, _tcp_Kprocessed=158.37, _tcp_eps=0.03, _process_time_ms=0, evt_misc_kBps=0.00, evt_raw_kBps=0.00, evt_fields_kBps=0.00, evt_fn_kBps=0.00, evt_fv_kBps=0.00, evt_fn_str_kBps=0.00, evt_fn_meta_dyn_kBps=0.00, evt_fn_meta_predef_kBps=0.00, evt_fn_meta_str_kBps=0.00, evt_fv_num_kBps=0.00, evt_fv_str_kBps=0.00, evt_fv_predef_kBps=0.00, evt_fv_offlen_kBps=0.00, evt_fv_fp_kBps=0.00, build=f817a93effc2, version=7.2.7, os=Linux, arch=x86_64, hostname=deployer, guid=6C69F32A-8F26-4F9F-831D-CA1623C5FA4A, fwdType=full, ssl=false, lastIndexer="10.176.240.39:9997,10.176.240.85:9997", ack=true

Re: Verifying Secure Communication between forwarders and indexers

somesoni2 — Thu, 15 Aug 2019 17:41:26 GMT

See this:
https://docs.splunk.com/Documentation/Splunk/7.3.1/Security/Validateyourconfiguration

Re: Verifying Secure Communication between forwarders and indexers

anoopdi — Thu, 15 Aug 2019 18:05:31 GMT

i was using that link for the verification that's where I noticed that log. I dont see any errors in splunkd.log about SSL, both on indexers and forwarders. I think the secure communication is working but wanted to confirm that.

Re: Verifying Secure Communication between forwarders and indexers

ansif — Thu, 21 May 2020 14:49:48 GMT

@anoopdi : Did you get any confirmation on this?

Re: Verifying Secure Communication between forwarders and indexers

mguhad — Wed, 30 Sep 2020 05:31:36 GMT

To verify, please run this search on the SH (if all nodes are sending their internal logs to the indexing layer) :
index=_internal source=metrics.log group=tcpin_connections |
dedup hostname | table _time hostname version sourceIp destPort ssl

alternatively you can check manually verify the port using the openssl suite:
/opt/splunk/bin/splunk cmd openssl s_client -connect :

https://docs.splunk.com/Documentation/Splunk/7.3.1/Security/Validateyourconfiguration
Hope this helps!

Re: Verifying Secure Communication between forwarders and indexers

aaditi25 — Sun, 19 Dec 2021 07:24:57 GMT

Hey anoopdi,

Did you get any clarity with whether the communication is been secured or no ? Because I am getting the exact entries in the internal logs. (connectionType=cookedSSL but SSL=false sometimes and SSL=true sometimes).

Re: Verifying Secure Communication between forwarders and indexers

hrawat — Wed, 22 Nov 2023 04:29:50 GMT

Is the forwarder using indexer discovery ?