topic Re: Syslog + SSL connection logs? in Getting Data In

Syslog + SSL connection logs?

PabloJulian — Wed, 20 Mar 2019 12:07:20 GMT

Hello All,
I am trying to configure McAfee ePO to send syslogs to Splunk; ePO requires the use of SSL. I've tried to configure an SSL input on port 6514 for TCP - syslog, and followed all the steps found in the web / manuals / etc. but I can't seem to be able to get this to work.

Here's my question: Where can I find logs that show the detail of the SSL negotiation with the remote host, and what is failing?

Thanks all,

Pablo

Re: Syslog + SSL connection logs?

bcyates — Wed, 20 Mar 2019 17:40:40 GMT

Sending syslog directly to Splunk is against best practice. You should send it to a syslog server like Rsyslog or Syslog-ng. Regardless, you would have to install certificates on the receiving host, otherwise handshake will fail.

Check out the answer here: https://answers.splunk.com/answers/658055/setup-secure-encrypted-syslog.html

But the splunkd.log would have any errors. /opt/splunk/var/log/splunk |grep -i error