Has anyone had luck setting up secure (encrypted) syslog with this Addon? It only mentions creating a TCP input which would not be encrypted. Our Proofpoint is hosted at their cloud, so encryption between their cloud and our Heavy Forwarder onsite is imperative.
you could use
inputs.conf - it offers encrypted receiving of data.
However, best practice is to run a dedicated syslog server, which receives the data and writes it to disk, and have Splunk monitor those files. This helps with reliability, as a syslog server restart might take less than one second, but restarting Splunk might take up to several minutes. You might loose data that would come in during such an restart - which also happens more often with Splunk instances than with syslog servers.
I'd therefore recommend to setup syslog-ng, with encryption enabled, and send your data there.
Hope that helps - if it does I'd be happy if you would upvote/accept this answer, so others could profit from it. 🙂
Ended up creating certificates and using the following configuration settings in inputs.conf. The key to making this work is the cipherSuite which is not a default cipher.
[tcp-ssl://1518] sourcetype = pps_log index = proofpoint disabled = false acceptFrom = *comma seperated list of your cluster server IPs* [SSL] requireClientCert = false serverCert = /opt/splunk/etc/apps/TA_pps/local/certs/combined.cer sslVersions = tls1.2 cipherSuite = AES256-SHA
The ServerCert should be combined and in the following order:
-----BEGIN CERTIFICATE----- (Your server certificate) -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- (Your Intermediate certificate (if you have one)) -----END CERTIFICATE----- -----BEGIN RSA PRIVATE KEY----- (Your Private Key) -----END RSA PRIVATE KEY-----
Proofpoint will need to load this certificate chain as well.