topic Re: Tcp data input and ssl in Security

Tcp data input and ssl

Hari — Tue, 01 Sep 2020 13:15:15 GMT

I have configured /local/inputs.confg file for tcp input data for ssl as suggested in documents. But after restart the splunk when it is not working.

I am using 8.x version. Please suggest the way to securely send tcp data from my application to splunk server using ssl certificate.

Re: Tcp data input and ssl

thambisetty — Tue, 01 Sep 2020 14:20:45 GMT

It's not very easy process.

I should explain starting from generating CSR.

#Switch user to user which is running splunkd service, for example: splunkd is running with splunk user. sudo su - splunk # Change directory to $SPLUNK_HOME, for example splunk is under /opt cd /opt/splunk/ #1 Generate Key this will prompt for passphrase, key in and remember the passphrase openssl genrsa -des3 -out splunk_2_splunk_server.key 3072 #2 Add All your Indexers or Heavy forwarders ( this is basically receiver/server) to issue single certifcate) with Cert Details for the above key #3 Make sure to fill replace all values inside <> # for example /C=India # DNS:splunkidx02.domain.com openssl req -new -sha256 -key splunk_2_splunk_server.key -out splunk_2_splunk_server.csr -subj "/C=<country>/ST=<state>/L=<location>/O=<organization>/OU=<organizational_unit>/CN=<certficate_name>" -reqexts SAN -config <(cat /opt/splunk/openssl/openssl.cnf <(printf "req_extensions = v3_req\n[SAN]\nsubjectAltName=DNS:<receiver1_fqdn>,DNS:<receiver2_fqdn>")) -out splunk_2_splunk_server.csr #4 View CSR in plain text for validation openssl req -in splunk_2_splunk_server.csr -noout -text repeat steps #1-#4 to create a CSR for client, don't use same passphrase for both client and server. for example you have created client csr "splunk_2_splunk_client.csr" and server csr "splunk_2_splunk_server.csr" sign both of them using your CA. # if your company provides p7b cert, you can convert p7b to pem because pem is required in splunk openssl pkcs7 -print_certs -in <yourcert>.p7b -out splunk_2_splunk.pem Now, you have client key with passphrase, client pem certificate and server key with passphrase, server pem certificate. #this should go to server ( HF or Indexer) create an app appforhforindexer create a directory cert inside it create server.pem inside cert directory server.pem: is combination of below server_signed_cert.pem server.key internmediate.pem (if any) root.pem #I have deployed app to HF/Indexer using Deployment server. /opt/splunk/etc/deployment-apps/<appforhforindexer>/local/inputs.conf [splunktcp-ssl:9997] disabled = 0 [SSL] serverCert = $SPLUNK_HOME/etc/apps/<appforhforindexer>/cert/server.pem requireClientCert = false sslPassword = <server_key_passphraseinplaintext> Client Configuration (this should go to universal forwarders) create an app appforclient create a directory cert inside it create client.pem inside cert directory client.pem: is combination of below client_signed_cert.pem client.key internmediate.pem (if any) root.pem /opt/splunk/etc/deployment-apps/<appforclient>/local/outputs.conf [tcpout] defaultGroup = <yourtcpoutgroup> [tcpout:<yourtcpoutgroup>] server = server1:9997,server2:9997 clientCert = $SPLUNK_HOME/etc/apps/<appforclient>/cert/client.pem sslPassword = <client_key_passphraseinplaintext> useClientSSLCompression = true sslVerifyServerCert = false

Re: Tcp data input and ssl

Hari — Mon, 07 Sep 2020 07:12:13 GMT

Hello,

Do i need to add Protocal data input add-on to the splunk to communicate my application with splunk on ssl tcp. I want to inform here that i am using Serilog API's TCPSyslog() to send message to splunk.

I am using Splunk 8.0.X version on windows 10.

Please suggest the way to send data to splunk using secured tcp input. And also inform me if any additional setting need to do in splunk. I am totally new to this tool.

Re: Tcp data input and ssl

thambisetty — Tue, 08 Sep 2020 18:24:50 GMT

@Hari
Are you forwarding events to Splunk using HTTP event collector?

Re: Tcp data input and ssl

Hari — Tue, 08 Sep 2020 19:09:02 GMT

I am forwarding data using tcp data input. So if I send data to tcp input data port, data is recieved successfully ( I am not using any data security certificate). But I want to use ssl security certificate for this data transmission.

Is there any way to send data to splunk tcp data input port by using ssl/tls security certificate.

Note: I want to mention that I am using Serilog logging framework in my application to send data to splunk.

Re: Tcp data input and ssl

thambisetty — Tue, 08 Sep 2020 19:37:39 GMT

You can follow the process I shared in my first answer.