All Apps and Add-ons

Cisco eStreamer for Splunk: How to encrypt the certificate password in the estreamer.conf file?

TWiseOne
Path Finder

Hi,
When configuring the Cisco eStreamer for Splunk application, can I ask why the pkcs12_password is not encrypted in the estreamer.conf file when Splunk is restarted?

It seems a bit of a security hole to have the cleartext password on the server and/or deployment server.

Any recommendations on how to encrypt the certificate password in the .conf file? Is this something that can/will be done in the next release?

Thanks.

Tom.

0 Karma

douglashurd
Builder

A new Splunk Firepower solution is now available if you are using Firepower version 6.x. You can download the new eStreamer eNcore for Splunk and the separately installable dashboard from the two links below:

eStreamer eNcore
https://splunkbase.splunk.com/app/3662/

eNcore Dashboard
https://splunkbase.splunk.com/app/3663/

It is free to use and well documented but if you would like to purchase a TAC Support service so that you can obtain installation and configuration assistance and troubleshooting you can order the software from Cisco (support obligatory with this purchase). The Product Identifier is: FP-SPLUNK-SW-K9.

Regardless of whether you take up the support option or not, updated versions will be made available to all free of charge and posted on Splunkbase as well as Cisco Downloads.

0 Karma

douglashurd
Builder

Here is what I got back from an expert:

I know splunk stores a key in the splunk.secret file on the system which is uses to encrypt ssl passwords on startup however the encryption is limited to ssl passwords that use splunktcp-ssl (i think this is exclusive to data going from splunk to splunk https://wiki.splunk.com/Community:Splunk2Splunk_SSL_DefaultCerts). We would need to consider this in the new app we build.

My understanding on this whole splunk.secret is pretty shaky but from what I understand there is no way to do it unless we change and build the estreamer plugin to accommodate this.

0 Karma

douglashurd
Builder

There is a final beta available right now. Just email me at dohurd@cisco.com and I can provide it to you

We should have it released w/in a few weeks.

The event de-duplication will come in update later this summer.

Doug

douglashurd
Builder

Probably. I don't if there will be a limit. Most important is the support for HA pairs with the ability to perform event de-duplication so that you don't jam double the events into splunk.

0 Karma

douglashurd
Builder

The new TA and app should be available by the end of April.

Doug

0 Karma

hmclaren_splunk
Splunk Employee
Splunk Employee

Amazing! Will it include the ability to configure multiple Defense Centres? We have 8...

0 Karma

douglashurd
Builder

Should be available by the end of April!

0 Karma

varma1729
New Member

Hello Douglas,

Any update on the TA and app availability, I was hoping the New TA & App will help me with Password encryption & "support of Defense Center HA pairs with the ability to perform event de-duplication".

Thanks for your help in advance!!

Regards,
Varma.

0 Karma

hmclaren_splunk
Splunk Employee
Splunk Employee

Any idea when the new App might be ready (which support multiple DCs per App install)? Cheers

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!