Solved: Decode Logs coming from Syslog (SSL)

elli_i · ‎09-06-2017

Hi,
i am trying to send encrypted logs from Syslog to Splunk. To decrypt them i changed the splunk/etc/system/local/inputs.conf file like so:
[tcp-ssl:5140]
[SSL]
serverCert = path.pem
sslPassword = password

I already get the encrypted Logs but the decryption doesnt work.
Can you help me?

jkat54 · ‎09-06-2017

The tcp-ssl stanza just enables ssl on the connection from the syslog server to the splunk server. It's not going to handle any decryption of the underlying data.

View solution in original post

crendon_splunk · ‎05-19-2020

I know has been long time, were you able to decryp the logs at the end?

jkat54 · ‎09-06-2017

The tcp-ssl stanza just enables ssl on the connection from the syslog server to the splunk server. It's not going to handle any decryption of the underlying data.

elli_i · ‎09-06-2017

Okay, thanks! And what handles the decryption? I thought by sharing the certificate, with the ssl stanza, decryption is enabled. Or do i have to add a personal script? If so, is there a possibility, to just point splunk to the script, and splunk handles it?

esix_splunk · ‎09-06-2017

Splunk wont be able to decrypt this. You're going to want to use rsyslog/syslog-ng to do this, and after the files are decrypted and written to disk, use the UF to read the files.

saravanan90 · ‎02-15-2021

Hi @esix_splunk,

Is the above state still true with newer version of Splunk. Can Splunk decrypt the encrypted data coming from external?

esix_splunk · ‎02-15-2021

Same still holds true, you cannot send SSL traffic to a Splunk-SSLTCP input and hope Splunk can decrypt it.

Splunk TCP/SSL is for Splunk2Splunk(S2S) over SSL.

saravanan90 · ‎02-15-2021

Thanks a lot for your quick help @esix_splunk.

Decode Logs coming from Syslog (SSL)

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

How to Monitor Google Kubernetes Engine (GKE)

Index This | How can you make 45 using only 4?