https://community.splunk.com/t5/Security/TCP-Data-Input-and-SSL/m-p/483077#M11122 <P>Hi there.</P> <P>I trying to configure Splunk to receiving data from TCP port 514.</P> <P>I using default Splunk certificates witch are generated in /opt/splunk/etc/auth </P> <P>I configured inputs.conf :</P> <P>[tcp-ssl:514]<BR /> sourcetype = syslog</P> <P>[SSL]</P> <P>rootCA = /opt/splunk/etc/auth/cacert.pem<BR /> serverCert = /opt/splunk/etc/auth/server.pem</P> <P>On my network device I configured to send syslog to my Splunk server address via Tcp port 514 and import cacert.pem</P> <P>After that i can't explore logs via this device but logos are hashed. </P> <P>What I am doing wrong?</P> Wed, 26 Feb 2020 10:59:10 GMT tskubisz 2020-02-26T10:59:10Z https://community.splunk.com/t5/Security/TCP-Data-Input-and-SSL/m-p/483077#M11122 <P>Hi there.</P> <P>I trying to configure Splunk to receiving data from TCP port 514.</P> <P>I using default Splunk certificates witch are generated in /opt/splunk/etc/auth </P> <P>I configured inputs.conf :</P> <P>[tcp-ssl:514]<BR /> sourcetype = syslog</P> <P>[SSL]</P> <P>rootCA = /opt/splunk/etc/auth/cacert.pem<BR /> serverCert = /opt/splunk/etc/auth/server.pem</P> <P>On my network device I configured to send syslog to my Splunk server address via Tcp port 514 and import cacert.pem</P> <P>After that i can't explore logs via this device but logos are hashed. </P> <P>What I am doing wrong?</P> Wed, 26 Feb 2020 10:59:10 GMT https://community.splunk.com/t5/Security/TCP-Data-Input-and-SSL/m-p/483077#M11122 tskubisz 2020-02-26T10:59:10Z https://community.splunk.com/t5/Security/TCP-Data-Input-and-SSL/m-p/483078#M11123 <P>You would need the certificate on the syslog server<BR /> I would update the app structure to the below so you can push the config to multiple endpoints via the deployment server </P> <P><EM>base_app_name</EM> EG: org_environment_type_base_app<BR /> -- <EM>auth</EM><BR /> ---- serverCert.pem<BR /> ---- rootCACert.pem<BR /> -- defaults OR local<BR /> ---- inputs.conf <BR /> ---- server.conf <BR /> ---- outputs.conf</P> <P>Your inputs.conf should contain</P> <PRE><CODE>[SSL] serverCert = SPLUNK_HOME/etc/apps/*base_app_name*/auth/*file_name*.pem sslPassword = #encryptedPassword sslVersion = # version ### optional requiredClientCert = # boolean </CODE></PRE> <P>your server.conf should contain</P> <PRE><CODE>[sslConfig] serverCert = SPLUNK_HOME/etc/apps/*base_app_name*/auth/*file_name*.pem sslRootCAPath= SPLUNK_HOME/etc/apps/*base_app_name*/auth/*file_name*.pem ### note rootCA is depreciated sslPassword = #password [deployment] pass4SymmKey = #password </CODE></PRE> <P>You also need an outputs.conf</P> <PRE><CODE>[tcpout] sslPassword = #password clientCert = SPLUNK_HOME/etc/apps/*base_app_name*/auth/*file_name*.pem sslVersion = # version ### optional </CODE></PRE> <P>Hope this helps</P> Wed, 30 Sep 2020 04:25:08 GMT https://community.splunk.com/t5/Security/TCP-Data-Input-and-SSL/m-p/483078#M11123 anmolpatel 2020-09-30T04:25:08Z https://community.splunk.com/t5/Security/TCP-Data-Input-and-SSL/m-p/483079#M11124 <P>Thank you for help.<BR /> I not sure did I correct understand this steps.<BR /> Is that mean that I need to generate new certificate for client and upload this on Device from syslog is sending? (Synology NAS in my case) <BR /> Also can't find what is default password. I don't created any password for SSL.</P> Thu, 05 Mar 2020 13:39:17 GMT https://community.splunk.com/t5/Security/TCP-Data-Input-and-SSL/m-p/483079#M11124 tskubisz 2020-03-05T13:39:17Z https://community.splunk.com/t5/Security/TCP-Data-Input-and-SSL/m-p/483080#M11125 <P>@tskubisz This will give you a walkthrough on how to generate it all for Splunk<BR /> <A href="https://docs.splunk.com/Documentation/Splunk/8.0.2/Security/Howtoself-signcertificates">https://docs.splunk.com/Documentation/Splunk/8.0.2/Security/Howtoself-signcertificates</A></P> <P>Yes, the certificate needs to be on the Device sending the syslog, go through this document for a thorough walkthrough<BR /> <A href="https://docs.splunk.com/Documentation/Splunk/8.0.2/Security/ConfigureSplunkforwardingtousesignedcertificates">https://docs.splunk.com/Documentation/Splunk/8.0.2/Security/ConfigureSplunkforwardingtousesignedcertificates</A></P> <P>Validation step:<BR /> <A href="https://docs.splunk.com/Documentation/Splunk/8.0.2/Security/Validateyourconfiguration">https://docs.splunk.com/Documentation/Splunk/8.0.2/Security/Validateyourconfiguration</A></P> Thu, 05 Mar 2020 20:33:58 GMT https://community.splunk.com/t5/Security/TCP-Data-Input-and-SSL/m-p/483080#M11125 anmolpatel 2020-03-05T20:33:58Z