Getting Data In

Configuring TLS for Forwarding

shocko
Contributor

I have noticed that my Splunk Enterprise 8.2.4 (all windows) indexers are listening on TCP 9997 and forwarders are forwarding payloads in plaintext across the network which security are naturally not happy with. So I'd like to use my PKI to issue some certificates for the indexer to start with (I'll worry about client certificates and mutual authentication down the line). I run a master, one search head and and indexer cluster with two nodes.

The guides seem to be clear enough on how to create the additional listener etc. but one thing is confusing me.  The guide indicates to create the SSL listener and config under $SPLUNK_HOME/etc/system/local/inputs.conf but on my indexers the existing listener is under  etc\apps\search\local\inputs.conf

Labels (1)
0 Karma

SanjayReddy
SplunkTrust
SplunkTrust

Hi  @shocko 

It seems the inputs.conf is created under  /search/local/. 

this configuration also works, first  Splunk looks for config under /system/local/

 if doesnt found it looks for other directory as a part of precedence




0 Karma

shocko
Contributor

I see no mention of the /search/ directory though in that document. Have I missed something? 

0 Karma

PickleRick
SplunkTrust
SplunkTrust

From the configuration point of view, search is just another app.

It's a matter of convention and convenience usually. If you prepare config files by hand you usually split them logically into apps so you might for example have an app dedicated to a particular input or input type. This way you have granular control over the resulting configuration if you push some apps to forwarders.

But if you're configuring your splunk instance from the webui, since you're doing it mostly in search app (if we're talking about the "generic" splunk settings), the settings land in search app's directory.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...