When configuring the Cisco eStreamer for Splunk application, can I ask why the pkcs12_password is not encrypted in the estreamer.conf file when Splunk is restarted?
It seems a bit of a security hole to have the cleartext password on the server and/or deployment server.
Any recommendations on how to encrypt the certificate password in the .conf file? Is this something that can/will be done in the next release?
A new Splunk Firepower solution is now available if you are using Firepower version 6.x. You can download the new eStreamer eNcore for Splunk and the separately installable dashboard from the two links below:
It is free to use and well documented but if you would like to purchase a TAC Support service so that you can obtain installation and configuration assistance and troubleshooting you can order the software from Cisco (support obligatory with this purchase). The Product Identifier is: FP-SPLUNK-SW-K9.
Regardless of whether you take up the support option or not, updated versions will be made available to all free of charge and posted on Splunkbase as well as Cisco Downloads.
Here is what I got back from an expert:
I know splunk stores a key in the splunk.secret file on the system which is uses to encrypt ssl passwords on startup however the encryption is limited to ssl passwords that use splunktcp-ssl (i think this is exclusive to data going from splunk to splunk https://wiki.splunk.com/Community:Splunk2Splunk_SSL_DefaultCerts). We would need to consider this in the new app we build.
My understanding on this whole splunk.secret is pretty shaky but from what I understand there is no way to do it unless we change and build the estreamer plugin to accommodate this.
There is a final beta available right now. Just email me at firstname.lastname@example.org and I can provide it to you
We should have it released w/in a few weeks.
The event de-duplication will come in update later this summer.
Probably. I don't if there will be a limit. Most important is the support for HA pairs with the ability to perform event de-duplication so that you don't jam double the events into splunk.
Any update on the TA and app availability, I was hoping the New TA & App will help me with Password encryption & "support of Defense Center HA pairs with the ability to perform event de-duplication".
Thanks for your help in advance!!