topic How to configure my splunk app to get data over SSL ? in Getting Data In

How to configure my splunk app to get data over SSL ?

ranjyotiprakash — Thu, 28 Jun 2012 09:19:20 GMT

How to configure my splunk app to get data over SSL ?

I am trying to generate reports based on the logs generated by Barracuda Web application firewall . The Barracuda appliance is configured to send the logs to my splunk instance through SSL connection type. Then how to configure my splunk app to get the data ?

Thanks...

Re: How to configure my splunk app to get data over SSL ?

dondky — Thu, 28 Jun 2012 17:55:06 GMT

Hi ranjyotiprakash,

The first question is how are you planning on forwarding the data into Splunk? Is it via syslog? You mention "The Barracuda appliance is configured to send the logs to my splunk instance through SSL connection type" Does this mean you already set it up?

I did some digging around and it looks like the Barracuda supports Syslog over SSL. You would have to configure your syslog receiver (Rsyslog, Syslog-ng) that is running on a dedicated syslog collector or the splunk indexer itself to receive via SSL. One you start receiving data via syslog over ssl you can then decide to forward the data to an indexer or index the data directly on the indexer.

See: http://docs.splunk.com/Documentation/Splunk/5.0/Data/Configureyourinputs

Re: How to configure my splunk app to get data over SSL ?

ranjyotiprakash — Fri, 29 Jun 2012 05:31:25 GMT

Hi dondky,

Thanks for your reply.The Barracuda Web application Firewall is having three options available as connection type through which we can configure a syslog server on web application firewall. They are - UDP, TCP and SSL. For UDP and TCP, I configured the inputs.conf of my app as :

[udp://514]
connection_host = none
sourcetype = syslog
disabled = 0

[tcp://514]
connection_host = none
sourcetype = syslog
disabled = 0

But, If I choose the SSL option as the connection type for the syslog server. In that case, what should be the work around to get the data to my splunk setup ?
Thanks..

Re: How to configure my splunk app to get data over SSL ?

Ayn — Fri, 29 Jun 2012 06:23:08 GMT

Have a look at the docs for inputs.conf. http://docs.splunk.com/Documentation/Splunk/5.0/Admin/Inputsconf

Specifically, there's the tcp-ssl input type that will receive data over an SSL connection. Also have a look at the SSL stanza for additional settings for SSL inputs.

[tcp-ssl:<port>]
* Use this stanza type if you are receiving encrypted, unparsed data from a forwarder or third-party system.
* Set <port> to the port on which the forwarder/third-party system is sending unparsed, encrypted data.

Re: How to configure my splunk app to get data over SSL ?

ChrisG — Fri, 29 Jun 2012 15:24:02 GMT

Following on Ayn's posting here...there is more detail about the configuration of inputs.conf and outputs.conf in the Securing Splunk Manual: http://docs.splunk.com/Documentation/Splunk/5.0/Security/Aboutsecuringdatafromforwarders .

Re: How to configure my splunk app to get data over SSL ?

TonyLeeVT — Sat, 20 Aug 2016 20:43:24 GMT

After checking splunkd.log and a little troubleshooting, I was able to get the tcp-ssl port to listen and receive ssl encrypted traffic from a third party device. I used the following steps:

Generate certs:

mkdir /opt/splunk/etc/certs
export OPENSSL_CONF=/opt/splunk/openssl/openssl.cnf
/opt/splunk/bin/genRootCA.sh -d /opt/splunk/etc/certs

/opt/splunk/bin/genSignedServerCert.sh -d /opt/splunk/etc/certs -n splunk -c splunk -p

**Note: It will ask you to enter a password

In inputs.conf, I used the following:

[tcp-ssl://6514]
Sourcetype = <your source type here>

[SSL]
rootCA = $SPLUNK_HOME/etc/certs/cacert.pem
serverCERT = $SPLUNK_HOME/etc/certs/splunk.pem
password = <The password that was used in the genSignedServerCert>

You may want to use netstat -an | grep :6514 to make sure the port is listening after a restart. If not, check /opt/splunk/var/log/splunkd/splunkd.log again for errors. Hope that helps!