https://community.splunk.com/t5/Splunk-Enterprise/How-to-transfer-data-from-the-data-source-to-forwarder-via/m-p/590118#M11876 <P>Ok, some things need clarification. Whereas TCP or HTTP are relatively strict terms, syslog is a very loosely applied name regarding to - depending on context - many things from completely anything sent to UDP/514 to a particular RFC5424 message format.</P><P>Most probably by saying "syslog over TLS" you mean a simple tcp-tls-based input regardless of what's being sent there.</P><P>Yes, it can be done. Just use tcp-tls: input instead of tcp:. Parameters regarding encryption/authentication not specified within particular input will be pulled from defaul [SSL] stanza.</P><P>In case of simple network inputs however, it's often worth considering setting up intermediate syslog-processing layer (sc4s, rsyslog...) to keep the network-level metadata.</P><P>And yes, technicaly speaking, you could of course use the splunk's internal certificates but it's generally good idea to use your own CA in production environment.</P> Tue, 22 Mar 2022 06:17:29 GMT PickleRick 2022-03-22T06:17:29Z https://community.splunk.com/t5/Splunk-Enterprise/How-to-transfer-data-from-the-data-source-to-forwarder-via/m-p/590101#M11869 <P>I would like to transfer data from the data source to Forwarder via Syslog over TLS.<BR />Is it possible to use the default SSL certificate provided by Splunk to transfer data from the data source to the forwarder over Syslog over TLS?<BR />Is it possible to use the default SSL certificate provided by Splunk on non-Splunk equipment?</P> Tue, 22 Mar 2022 05:25:11 GMT https://community.splunk.com/t5/Splunk-Enterprise/How-to-transfer-data-from-the-data-source-to-forwarder-via/m-p/590101#M11869 AHA-0114 2022-03-22T05:25:11Z https://community.splunk.com/t5/Splunk-Enterprise/How-to-transfer-data-from-the-data-source-to-forwarder-via/m-p/590109#M11872 <P>I'm not a Syslog expert but if you are using rsyslog then this (<A href="https://www.rsyslog.com/doc/v8-stable/tutorials/tls_cert_summary.html" target="_blank">https://www.rsyslog.com/doc/v8-stable/tutorials/tls_cert_summary.html</A>) document might be useful.</P> Tue, 22 Mar 2022 05:40:48 GMT https://community.splunk.com/t5/Splunk-Enterprise/How-to-transfer-data-from-the-data-source-to-forwarder-via/m-p/590109#M11872 VatsalJagani 2022-03-22T05:40:48Z https://community.splunk.com/t5/Splunk-Enterprise/How-to-transfer-data-from-the-data-source-to-forwarder-via/m-p/590118#M11876 <P>Ok, some things need clarification. Whereas TCP or HTTP are relatively strict terms, syslog is a very loosely applied name regarding to - depending on context - many things from completely anything sent to UDP/514 to a particular RFC5424 message format.</P><P>Most probably by saying "syslog over TLS" you mean a simple tcp-tls-based input regardless of what's being sent there.</P><P>Yes, it can be done. Just use tcp-tls: input instead of tcp:. Parameters regarding encryption/authentication not specified within particular input will be pulled from defaul [SSL] stanza.</P><P>In case of simple network inputs however, it's often worth considering setting up intermediate syslog-processing layer (sc4s, rsyslog...) to keep the network-level metadata.</P><P>And yes, technicaly speaking, you could of course use the splunk's internal certificates but it's generally good idea to use your own CA in production environment.</P> Tue, 22 Mar 2022 06:17:29 GMT https://community.splunk.com/t5/Splunk-Enterprise/How-to-transfer-data-from-the-data-source-to-forwarder-via/m-p/590118#M11876 PickleRick 2022-03-22T06:17:29Z