Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Configuring TLS for Forwarding

shocko
Contributor
‎01-24-2022 03:50 AM

I have noticed that my Splunk Enterprise 8.2.4 (all windows) indexers are listening on TCP 9997 and forwarders are forwarding payloads in plaintext across the network which security are naturally not happy with. So I'd like to use my PKI to issue some certificates for the indexer to start with (I'll worry about client certificates and mutual authentication down the line). I run a master, one search head and and indexer cluster with two nodes.

The guides seem to be clear enough on how to create the additional listener etc. but one thing is confusing me.  The guide indicates to create the SSL listener and config under $SPLUNK_HOME/etc/system/local/inputs.conf but on my indexers the existing listener is under  etc\apps\search\local\inputs.conf

Labels (1)
Labels
0 Karma
Reply

SanjayReddy
SplunkTrust
SplunkTrust
‎01-24-2022 04:26 AM

Hi  @shocko 

It seems the inputs.conf is created under  /search/local/. 

this configuration also works, first  Splunk looks for config under /system/local/

 if doesnt found it looks for other directory as a part of precedence




0 Karma
Reply

shocko
Contributor
‎01-24-2022 02:02 PM

I see no mention of the /search/ directory though in that document. Have I missed something? 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎01-24-2022 02:15 PM

From the configuration point of view, search is just another app.

It's a matter of convention and convenience usually. If you prepare config files by hand you usually split them logically into apps so you might for example have an app dedicated to a particular input or input type. This way you have granular control over the resulting configuration if you push some apps to forwarders.

But if you're configuring your splunk instance from the webui, since you're doing it mostly in search app (if we're talking about the "generic" splunk settings), the settings land in search app's directory.

Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...