All Apps and Add-ons
Highlighted

Setup Secure (Encrypted) Syslog

Communicator

Has anyone had luck setting up secure (encrypted) syslog with this Addon? It only mentions creating a TCP input which would not be encrypted. Our Proofpoint is hosted at their cloud, so encryption between their cloud and our Heavy Forwarder onsite is imperative.

0 Karma
Highlighted

Re: Setup Secure (Encrypted) Syslog

SplunkTrust
SplunkTrust

Hey,
you could use [tcp-ssl://1234] in inputs.conf - it offers encrypted receiving of data.
However, best practice is to run a dedicated syslog server, which receives the data and writes it to disk, and have Splunk monitor those files. This helps with reliability, as a syslog server restart might take less than one second, but restarting Splunk might take up to several minutes. You might loose data that would come in during such an restart - which also happens more often with Splunk instances than with syslog servers.
I'd therefore recommend to setup syslog-ng, with encryption enabled, and send your data there.

Hope that helps - if it does I'd be happy if you would upvote/accept this answer, so others could profit from it. 🙂

Highlighted

Re: Setup Secure (Encrypted) Syslog

Communicator

The proofpoint cloud cluster caches some amount of logs, so a Splunk restart shouldn't result in a loss of logs.

0 Karma
Highlighted

Re: Setup Secure (Encrypted) Syslog

Communicator

Ended up creating certificates and using the following configuration settings in inputs.conf. The key to making this work is the cipherSuite which is not a default cipher.

[tcp-ssl://1518]
sourcetype = pps_log
index = proofpoint
disabled = false
acceptFrom = *comma seperated list of your cluster server IPs*

[SSL]
requireClientCert = false
serverCert = /opt/splunk/etc/apps/TA_pps/local/certs/combined.cer
sslVersions = tls1.2
cipherSuite = AES256-SHA

The ServerCert should be combined and in the following order:

-----BEGIN CERTIFICATE----- 
(Your server certificate) 
-----END CERTIFICATE----- 
-----BEGIN CERTIFICATE----- 
(Your Intermediate certificate (if you have one)) 
-----END CERTIFICATE----- 
-----BEGIN RSA PRIVATE KEY----- 
(Your Private Key) 
-----END RSA PRIVATE KEY----- 

Proofpoint will need to load this certificate chain as well.

View solution in original post