Configuring TLS for Forwarding

shocko · ‎01-24-2022

I have noticed that my Splunk Enterprise 8.2.4 (all windows) indexers are listening on TCP 9997 and forwarders are forwarding payloads in plaintext across the network which security are naturally not happy with. So I'd like to use my PKI to issue some certificates for the indexer to start with (I'll worry about client certificates and mutual authentication down the line). I run a master, one search head and and indexer cluster with two nodes.

The guides seem to be clear enough on how to create the additional listener etc. but one thing is confusing me. The guide indicates to create the SSL listener and config under $SPLUNK_HOME/etc/system/local/inputs.conf but on my indexers the existing listener is under etc\apps\search\local\inputs.conf

SanjayReddy · ‎01-24-2022

Hi @shocko

It seems the inputs.conf is created under /search/local/.

this configuration also works, first Splunk looks for config under /system/local/

if doesnt found it looks for other directory as a part of precedence

shocko · ‎01-24-2022

I see no mention of the /search/ directory though in that document. Have I missed something?

PickleRick · ‎01-24-2022

From the configuration point of view, search is just another app.

It's a matter of convention and convenience usually. If you prepare config files by hand you usually split them logically into apps so you might for example have an app dedicated to a particular input or input type. This way you have granular control over the resulting configuration if you push some apps to forwarders.

But if you're configuring your splunk instance from the webui, since you're doing it mostly in search app (if we're talking about the "generic" splunk settings), the settings land in search app's directory.

Configuring TLS for Forwarding

universal forwarder

Mastering Data Pipelines: Unlocking Value with Splunk

The Latest Cisco Integrations With Splunk Platform!

AI Adoption Hub Launch | Curated Resources to Get Started with AI in Splunk