https://community.splunk.com/t5/Security/Authenticated-TCP-Input/m-p/131651#M3997 <P>As an alternative to building your own authenticated TCP input you could use the existing Splunk REST API endpoints: <A href="http://docs.splunk.com/Documentation/Splunk/6.0.3/RESTAPI/RESTinput#receivers.2Fsimple">http://docs.splunk.com/Documentation/Splunk/6.0.3/RESTAPI/RESTinput#receivers.2Fsimple</A> for single events, <A href="http://docs.splunk.com/Documentation/Splunk/6.0.3/RESTAPI/RESTinput#receivers.2Fstream">http://docs.splunk.com/Documentation/Splunk/6.0.3/RESTAPI/RESTinput#receivers.2Fstream</A> for streamed events.</P> Tue, 15 Apr 2014 08:20:00 GMT martin_mueller 2014-04-15T08:20:00Z https://community.splunk.com/t5/Security/Authenticated-TCP-Input/m-p/131649#M3995 <P>I have set up a TCP input and have noticed that it is completely open by default. (For example if I hit that port from a web browser, it interprets the HTTP request as an event to be ingested). I need to be able to prevent arbitrary garbage from being ingested.</P> <P>I see in the docs that it is possible to lock down the import to specific hosts or IP addresses, but I need to be able to support data ingestion from anywhere. What I really need is some form of authentication on the input.</P> <P>Is this possible with TCP inputs?</P> <P>If not, I assume I would need to build my own authenticated TCP interface and then stream the data from that to Splunk. Is this a good approach? What is the best way to stream the data? Some sort of persistent queue?</P> Tue, 15 Apr 2014 00:35:49 GMT https://community.splunk.com/t5/Security/Authenticated-TCP-Input/m-p/131649#M3995 pezcrap 2014-04-15T00:35:49Z https://community.splunk.com/t5/Security/Authenticated-TCP-Input/m-p/131650#M3996 <P>What about using something like IPSEC between the hosts? Setting up an <A href="http://support.microsoft.com/kb/816514">IPSEC policy on Windows</A> is particularly simple. You can configure the policy such that it only allows communication on the given port if it is authenticated and secured.</P> Tue, 15 Apr 2014 04:18:36 GMT https://community.splunk.com/t5/Security/Authenticated-TCP-Input/m-p/131650#M3996 LukeMurphey 2014-04-15T04:18:36Z https://community.splunk.com/t5/Security/Authenticated-TCP-Input/m-p/131651#M3997 <P>As an alternative to building your own authenticated TCP input you could use the existing Splunk REST API endpoints: <A href="http://docs.splunk.com/Documentation/Splunk/6.0.3/RESTAPI/RESTinput#receivers.2Fsimple">http://docs.splunk.com/Documentation/Splunk/6.0.3/RESTAPI/RESTinput#receivers.2Fsimple</A> for single events, <A href="http://docs.splunk.com/Documentation/Splunk/6.0.3/RESTAPI/RESTinput#receivers.2Fstream">http://docs.splunk.com/Documentation/Splunk/6.0.3/RESTAPI/RESTinput#receivers.2Fstream</A> for streamed events.</P> Tue, 15 Apr 2014 08:20:00 GMT https://community.splunk.com/t5/Security/Authenticated-TCP-Input/m-p/131651#M3997 martin_mueller 2014-04-15T08:20:00Z https://community.splunk.com/t5/Security/Authenticated-TCP-Input/m-p/131652#M3998 <P>Hi martin - that streamed events receiver looks useful. Is this exposed via the Java SDK? (I can't seem to find it) or it it necessary to hit the REST API directly?</P> Thu, 17 Apr 2014 02:29:19 GMT https://community.splunk.com/t5/Security/Authenticated-TCP-Input/m-p/131652#M3998 pezcrap 2014-04-17T02:29:19Z https://community.splunk.com/t5/Security/Authenticated-TCP-Input/m-p/131653#M3999 <P>Not quite sure about the regular SDK, however if you're already working in Java you should take a look at <A href="https://github.com/damiendallimore/SplunkJavaLogging">https://github.com/damiendallimore/SplunkJavaLogging</A> for logging directly to Splunk. On top of logging via TCP that comes with an implementation of logging to the authenticated REST API.</P> Thu, 17 Apr 2014 07:13:36 GMT https://community.splunk.com/t5/Security/Authenticated-TCP-Input/m-p/131653#M3999 martin_mueller 2014-04-17T07:13:36Z https://community.splunk.com/t5/Security/Authenticated-TCP-Input/m-p/131654#M4000 <P>So I think that there are couple of ways to address this.<BR /> 1) If your fowarding system is non-splunk: By writing a small proxy. You could spawn a small multi threaded TCP server (in python for ease), and then have some form of authentication of forwarders, as a handshake step after connection is established. After handshake is done you can just blindly start forwarding data to the tcpinput port.<BR /> 2) If you forwarding system is Splunk based: There is a mechanism of setting up shared secret keys between forwarding an receiving side. You can do this by <A href="https://docs.splunk.com/Documentation/Forwarder/6.4.2/Forwarder/Controlforwarderaccess#Configure_the_indexer_with_the_token">https://docs.splunk.com/Documentation/Forwarder/6.4.2/Forwarder/Controlforwarderaccess#Configure_the_indexer_with_the_token</A></P> Sat, 20 Aug 2016 00:19:57 GMT https://community.splunk.com/t5/Security/Authenticated-TCP-Input/m-p/131654#M4000 rdimri_splunk 2016-08-20T00:19:57Z