https://community.splunk.com/t5/Getting-Data-In/How-can-Splunk-provide-forwarding-receiving-security/m-p/447230#M77792 <P>Hi,</P> <P>I know there are 2 ways to secure indexer port 9997 (Or any other receiving port), you can use SSL certificate which you need to configure on Indexer and Forwarder. Please look at documentation <A href="http://docs.splunk.com/Documentation/Splunk/7.2.1/Security/Aboutsecuringdatafromforwarders">http://docs.splunk.com/Documentation/Splunk/7.2.1/Security/Aboutsecuringdatafromforwarders</A></P> <P>Other way is to secure Indexer and Forwarder using <CODE>Token</CODE> but I never tried this, have a look at outputs.conf for Forwarder config</P> <PRE><CODE>token = &lt;string&gt; * The access token for receiving data. * Optional. * If you configured an access token for receiving data from a forwarder, Splunk software populates that token here. * If you configured a receiver with an access token and that token is not specified here, the receiver rejects all data sent to it. * No default. </CODE></PRE> <P>and look at inputs.conf for Indexer.</P> <PRE><CODE># Access control settings. [splunktcptoken://&lt;token name&gt;] * Use this stanza to specify forwarders from which to accept data. * You must configure a token on the receiver, then configure the same token on forwarders. * The receiver discards data from forwarders that do not have the token configured. * This setting is enabled for all receiving ports. * This setting is optional. token = &lt;string&gt; * Value of token. </CODE></PRE> Fri, 14 Dec 2018 09:57:31 GMT harsmarvania57 2018-12-14T09:57:31Z https://community.splunk.com/t5/Getting-Data-In/How-can-Splunk-provide-forwarding-receiving-security/m-p/447229#M77791 <P>When enabling the receiving function in a Splunk Enterprise instance (indexer for example), it will be listening on port 9997 by default (changeable) and any forwarder with the information (indexer IP:port ) can forward data and it will be well received.</P> <P>My question here is: I think i am missing something but...</P> <P><STRONG>If a forwarder is a malicious or external one that can infect or disable the whole process by sending a massive storage ??</STRONG> </P> <P><STRONG>How can Splunk provide forwarding/receiving security (authentication / authorization ) ??</STRONG></P> Fri, 14 Dec 2018 09:45:03 GMT https://community.splunk.com/t5/Getting-Data-In/How-can-Splunk-provide-forwarding-receiving-security/m-p/447229#M77791 arlakathena 2018-12-14T09:45:03Z https://community.splunk.com/t5/Getting-Data-In/How-can-Splunk-provide-forwarding-receiving-security/m-p/447230#M77792 <P>Hi,</P> <P>I know there are 2 ways to secure indexer port 9997 (Or any other receiving port), you can use SSL certificate which you need to configure on Indexer and Forwarder. Please look at documentation <A href="http://docs.splunk.com/Documentation/Splunk/7.2.1/Security/Aboutsecuringdatafromforwarders">http://docs.splunk.com/Documentation/Splunk/7.2.1/Security/Aboutsecuringdatafromforwarders</A></P> <P>Other way is to secure Indexer and Forwarder using <CODE>Token</CODE> but I never tried this, have a look at outputs.conf for Forwarder config</P> <PRE><CODE>token = &lt;string&gt; * The access token for receiving data. * Optional. * If you configured an access token for receiving data from a forwarder, Splunk software populates that token here. * If you configured a receiver with an access token and that token is not specified here, the receiver rejects all data sent to it. * No default. </CODE></PRE> <P>and look at inputs.conf for Indexer.</P> <PRE><CODE># Access control settings. [splunktcptoken://&lt;token name&gt;] * Use this stanza to specify forwarders from which to accept data. * You must configure a token on the receiver, then configure the same token on forwarders. * The receiver discards data from forwarders that do not have the token configured. * This setting is enabled for all receiving ports. * This setting is optional. token = &lt;string&gt; * Value of token. </CODE></PRE> Fri, 14 Dec 2018 09:57:31 GMT https://community.splunk.com/t5/Getting-Data-In/How-can-Splunk-provide-forwarding-receiving-security/m-p/447230#M77792 harsmarvania57 2018-12-14T09:57:31Z