topic Re: SSL Letsencrypt for Splunk on Ubuntu in Monitoring Splunk

SSL Letsencrypt for Splunk on Ubuntu

JosIJntema — Sun, 05 Mar 2017 20:29:54 GMT

Hi there,

I have started my own Ubuntu 16.04 server and installed Splunk. This goes smoothly.

Also I have added a domain to the server and setup Let's Encrypt.

In the docs I find things about Splunk Web and SSL, but I cannot get this to work for my Splunk. For one, is that I do not have a web.conf.

How should I secure my Splunk environment? What is needed to do this the best way?

I will mainly user the HTTP Event Collector.

I am quite new to this, so any suggestions and help would be great.

Thanks.

Jos

Re: SSL Letsencrypt for Splunk on Ubuntu

mattymo — Sun, 05 Mar 2017 22:16:24 GMT

Hey JoslJntema,

Have you see this blog on using letsencrypt for splunk web?

https://www.splunk.com/blog/2016/08/12/secure-splunk-web-in-five-minutes-using-lets-encrypt/

What version of Splunk are you working with? You will need to ensure you have the Full Splunk Enterprise instance installed, not the universal forwarder...

http://docs.splunk.com/Documentation/Splunk/6.5.2/Security/AboutsecuringyourSplunkconfigurationwithSSL

You can also check out April 2016's talk from duckfez and starcher for a great overview:

https://wiki.splunk.com/Virtual_.conf

Once you have secured Splunk web, you can then move to HEC, which since 6.4 has it's own [http] stanza. in inputs.conf (it used to share splunkd's ssl config in server.conf)

https://www.splunk.com/blog/2016/05/03/splunk-6-4-using-cors-and-ssl-settings-with-http-event-collector/

http://docs.splunk.com/Documentation/Splunk/latest/Data/UsetheHTTPEventCollector

Anyways, I suggest starting with securing Splunkweb first with your certs, then moving to securing HEC

Re: SSL Letsencrypt for Splunk on Ubuntu

JosIJntema — Mon, 06 Mar 2017 06:33:55 GMT

Hi mmdoestino,

Thanks for your response.

First the web.conf was not available. When I tried to set SSL in the General Settings tab, it created the web.conf. Then I followed the tutorial and now it works.

However, I do not get the HEC to work.

I see in http://docs.splunk.com/Documentation/Splunk/6.4.0/Admin/Inputsconf#.5Bhttp.5D the following new settings for the [http] stanza:

sslKeysfile
sslKeysfilePassword
caCertFile
caPath
serverCert
sslVersions

Which do I need to use when I am using the Let's Encrypt .pem files?

Re: SSL Letsencrypt for Splunk on Ubuntu

mattymo — Mon, 06 Mar 2017 18:49:00 GMT

As for the HEC use of SSL, if you simply flip on SSL in the global options (aka enableSSL=1) it will use the settings from server.conf...which look like this on my machine.

[splunker@n00bserver bin]$ ./splunk btool server list --debug

/home/splunker/splunk/etc/system/local/server.conf                                   [sslConfig]
/home/splunker/splunk/etc/system/default/server.conf                                 allowSslCompression = true
/home/splunker/splunk/etc/system/default/server.conf                                 allowSslRenegotiation = true
/home/splunker/splunk/etc/system/default/server.conf                                 caCertFile = $SPLUNK_HOME/etc/auth/cacert.pem
/home/splunker/splunk/etc/system/default/server.conf                                 caPath = $SPLUNK_HOME/etc/auth
/home/splunker/splunk/etc/system/default/server.conf                                 certCreateScript = $SPLUNK_HOME/bin/splunk, createssl, server-cert
/home/splunker/splunk/etc/system/default/server.conf                                 cipherSuite = TLSv1+HIGH:TLSv1.2+HIGH:@STRENGTH
/home/splunker/splunk/etc/system/default/server.conf                                 enableSplunkdSSL = true
/home/splunker/splunk/etc/system/default/server.conf                                 sendStrictTransportSecurityHeader = false
/home/splunker/splunk/etc/system/default/server.conf                                 serverCert = $SPLUNK_HOME/etc/auth/server.pem
/home/splunker/splunk/etc/system/local/server.conf                                   sslPassword = <REDACTED>
/home/splunker/splunk/etc/system/default/server.conf                                 sslVersions = *,-ssl2
/home/splunker/splunk/etc/system/default/server.conf                                 sslVersionsForClient = *,-ssl2
/home/splunker/splunk/etc/system/default/server.conf                                 useClientSSLCompression = true
/home/splunker/splunk/etc/system/default/server.conf                                 useSplunkdClientSSLCompression = true
/home/splunker/splunk/etc/system/default/server.conf

I would try throwing your certs in the auth dir and pointing to it from the inputs, similar to how the caCertFile and path & server cert are set above.

I will try and get my letsencrypt set up cookin and let you know, or will confirm with others much smarter than me 😉