Getting Data In

Does FIPS apply to forwarders?

DaClyde
Contributor

I have now re-installed Splunk on both my search head and indexer to enable FIPS, and after a maddening week of frustration, finally have them talking to each other again. Now I need to get my forwarders secured with their own certificates. Does the same splunk-launch.conf edit to enable FIPS apply to the forwarders like it does to the indexer and search head?

The documentation relating to the FIPS implementation is frustratingly sparse.

0 Karma
1 Solution

jworthington_sp
Splunk Employee
Splunk Employee

Yes, you should be able to use the exact same process (re-install, make launch.conf edit) on your forwarders to turn on FIPs and get everything communicating properly.

And thanks for pointing out that the FIPs docs could use a little improvement, I'll get to work on those improvements.

Thanks!

View solution in original post

dolivasoh
Contributor

It's safe to assume it does. Forwarders as just scaled down versions of Splunk so the configurations are mostly universal.

0 Karma

jworthington_sp
Splunk Employee
Splunk Employee

Yes, you should be able to use the exact same process (re-install, make launch.conf edit) on your forwarders to turn on FIPs and get everything communicating properly.

And thanks for pointing out that the FIPs docs could use a little improvement, I'll get to work on those improvements.

Thanks!

jworthington_sp
Splunk Employee
Splunk Employee

To the best of my knowledge, you must reinstall. I'm not aware of anyone else having success otherwise, so it remains our best practice for the moment. I'm glad you were able to get it up and running successfully! For purposes of improving the docs, I'll definitely investigate some of the information you've provided.

Glad it worked, thanks for letting us know!

DaClyde
Contributor

I re-installed one of my forwarders, enabled FIPS and everything is fine. On a second, instead of re-installing, I just tried enabling FIPS, adding my certs and restarting the service, and I can't tell any difference. By all appearances, it is now using FIPS, is talking to my deployment server and is forwarding to my indexer.

Does enabling FIPS require a re-install on a forwarder, or can it simply be enabled? I guess I'm curious as to what the change is that requires the reinstall when enabling FIPS. Need I even have re-installed Splunk on my search-head and indexer? The documentation just says it is necessary, but doesn't give any rationale.

0 Karma

new2splunk21
Loves-to-Learn

Do the certs on the indexer need to be copied to the forwarder, or does the forwarder need its own?

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...