Getting Data In

BeyondTrust PRA Appliance Syslog Over TLS via Input Config

fillory4ever
Observer

So we are trying to send Syslog from our BeyondTrust PRA Appliance to Splunk. We have validated via the SSL/TLS test that the connection is good. I have the cert at both sides so this appears to be okay. We do not see the evens in the index though.

Configured inputs.conf in the /local folder as follows:

[tcp-ssl://6514]
disabled = false

[SSL]
requireClientCert = false
serverCert = /opt/splunk/etc/auth/custom/combined.cer
sslVersions = tls1.2
cipherSuite = AES256-SHA

We have the input setup in the web interface and have the correct index and source defined. No events coming in though. I've seen several articles from multiple years back on configuring this. The TLS handshake works, what are we missing? Thanks in advance!

FYI: Tried this over UDP using a non TLS input and the data comes in fine, but when we try with SSL it never shows up in the index.

Labels (1)
0 Karma

fillory4ever
Observer

Also, I did look at the metrics.log and it shows the connections from the server sending the logs, but nothing still in the index. Below is an example of the connection (I have x'd out the IP)

10-25-2023 16:22:34.165 +0000 INFO Metrics - group=tcpin_connections, x.x.x.x:31311:6514, connectionType=rawSSL, sourcePort=31311, sourceHost=x.x.x.x, sourceIp=x.x.x.x, destPort=6514, kb=0.000, _tcp_Bps=0.000, _tcp_KBps=0.000, _tcp_avg_thruput=0.000, _tcp_Kprocessed=0.000, _tcp_eps=0.000, _process_time_ms=0, evt_misc_kBps=0.000, evt_raw_kBps=0.000, evt_fields_kBps=0.000, evt_fn_kBps=0.000, evt_fv_kBps=0.000, evt_fn_str_kBps=0.000, evt_fn_meta_dyn_kBps=0.000, evt_fn_meta_predef_kBps=0.000, evt_fn_meta_str_kBps=0.000, evt_fv_num_kBps=0.000, evt_fv_str_kBps=0.000, evt_fv_predef_kBps=0.000, evt_fv_offlen_kBps=0.000, evt_fv_fp_kBps=0.000

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

In cybersecurity, defenders respond to threats. Architects design the systems that stop them.    As ...

Best Practices: Splunk auto adjust pipeline queue

When you enable autoAdjustQueue in Splunk, maxSize should be understood as the queue size Splunk starts with ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...