I am working on getting Splunk secured with certificates. We have a requirement to ensure the integrity of our audit logs as they are transported to Splunk. This would mean that I need to use SSL/TLS between the Forwarders and the Indexers.
When I read the SSL documentation, it wants a cert file and a password in the config settings for each forwarder. This might work for a few forwarders, but we are planning on doing 1,000+ Windows clients, so this would become a management issue. I know I can force the clients to request certificates from our Enterprise CA through GPOs without much problem.
Is there a way to tell the Universal Forwarders to use the machine/host certificates without having to manually set the certificate settings or even using one certificate for all the UFs?
Yeah.. basically we made a forwarder certificate that we push out with a deployment app with a password in the clear.
This conf presentation was what we based our final solution from.
The way to configure the SSL configuration is using the indexer certs. So you only need to deploy the certs of all of your indexer to all of your forwarder.
You have to configure inputs.conf in the indexer and outputs.conf in the forwarders.
Check out this link
Hope i help you
Why are we using the Indexer certificate on the forwarders? Doing this raises a few issues for me:
Is the local Microsoft Certificate Store not an option?