Bootstrapping a secure management configuration wi...

afx · ‎05-06-2019

Distributing certificates to forwarders for the indexer configuration works fine in Splunk.
But what about the management communication?
It seems to be a chicken and egg problem.
Can this be done via the deployment mechanism, sending the forwarders appropriate configuration and certificates?
But then as soon as that configuration is active, the deployment server will no longer accept the connections until that is switched as well. Or is there a fallback mechanism to internal certs that allows a smooth transition?
thx
afx

brettwilliams · ‎10-14-2020

I've run into this myself... if a Splunk instance starts, and there is no SSL configuration anywhere, Splunk creates its own in etc/system/local. Which can't be overridden. I could conjure up something creative on the Linux forwarders... but Windows, yeah, right... not gonna happen.

For the forwarders that I control, this is easy to fix. But for the forwarders I don't control, I'm just a few mouse clicks away from doom when I'm making changes in Forwarder Management. If I accidentally pull the 8089 certs, I have to go get many, many people to touch every single forwarder to manually fix it. Maybe we shouldn't distribute SSL certs for 8089 via deployment server. But without any other options, at least in my enterprise, I don't see any alternatives.

Bootstrapping a secure management configuration with company certificates

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!