Splunk Dev

adding second TCP listener for SSL

mfrost8
Builder

When we setup Splunk some time ago, I did not setup encryption for data received from light/universal forwarders. Now I want to encrypt data from all of those forwarders. I can't realistically cutover every last forwarder at the same time (and I'd worry about events getting dropped in the process of a cutover).

It appears that you can't have one port do both encrypted and non-encrypted data. I believe I saw in another post that you would need to create another TCP listener port and configure that to use SSL.

I looked around and am not really sure how to create a second port. Is this just adding a new TCP listener in "Data Inputs" and then somehow configuring it with the SSL encryption-only configuration?

Thanks

0 Karma
1 Solution

itinney
Path Finder

Yes you can add another listening port by either:
a) Using the UI by going to Manager->
b) Using the command-line command, ./splunk enable listen 9998 -auth admin:change me
c) editing the inputs.conf file and adding a new stanza like [splunktcp://9998]

See this documentation:
http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Aboutforwardingandreceivingdata

Regarding SSL encryption, you need to decide whether you want to use your own certificates or the ones supplied by Splunk. I suggest you read this:
http://docs.splunk.com/Documentation/Splunk/latest/Admin/UseSSLtoencryptandauthenticatedatafromforwa...

View solution in original post

itinney
Path Finder

Yes you can add another listening port by either:
a) Using the UI by going to Manager->
b) Using the command-line command, ./splunk enable listen 9998 -auth admin:change me
c) editing the inputs.conf file and adding a new stanza like [splunktcp://9998]

See this documentation:
http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Aboutforwardingandreceivingdata

Regarding SSL encryption, you need to decide whether you want to use your own certificates or the ones supplied by Splunk. I suggest you read this:
http://docs.splunk.com/Documentation/Splunk/latest/Admin/UseSSLtoencryptandauthenticatedatafromforwa...

itinney
Path Finder

no nothing different, it's simply that the examples use the standard port. You can have many TCP listening ports with or without SSL encryption configured.

0 Karma

mfrost8
Builder

Thanks, itinney. I had read the SSL document you referred to (and the wiki and a few other things), but all those docs seemed to assume configuration against the standard listener port. It was clear to me if there was anything special about creating this second port.

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...