Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How can Splunk provide forwarding/receiving securi...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When enabling the receiving function in a Splunk Enterprise instance (indexer for example), it will be listening on port 9997 by default (changeable) and any forwarder with the information (indexer IP:port ) can forward data and it will be well received.
My question here is: I think i am missing something but...
If a forwarder is a malicious or external one that can infect or disable the whole process by sending a massive storage ??
How can Splunk provide forwarding/receiving security (authentication / authorization ) ??
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I know there are 2 ways to secure indexer port 9997 (Or any other receiving port), you can use SSL certificate which you need to configure on Indexer and Forwarder. Please look at documentation http://docs.splunk.com/Documentation/Splunk/7.2.1/Security/Aboutsecuringdatafromforwarders
Other way is to secure Indexer and Forwarder using Token but I never tried this, have a look at outputs.conf for Forwarder config
token = <string>
* The access token for receiving data.
* Optional.
* If you configured an access token for receiving data from a forwarder,
Splunk software populates that token here.
* If you configured a receiver with an access token and that token is not
specified here, the receiver rejects all data sent to it.
* No default.
and look at inputs.conf for Indexer.
# Access control settings.
[splunktcptoken://<token name>]
* Use this stanza to specify forwarders from which to accept data.
* You must configure a token on the receiver, then configure the same
token on forwarders.
* The receiver discards data from forwarders that do not have the
token configured.
* This setting is enabled for all receiving ports.
* This setting is optional.
token = <string>
* Value of token.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I know there are 2 ways to secure indexer port 9997 (Or any other receiving port), you can use SSL certificate which you need to configure on Indexer and Forwarder. Please look at documentation http://docs.splunk.com/Documentation/Splunk/7.2.1/Security/Aboutsecuringdatafromforwarders
Other way is to secure Indexer and Forwarder using Token but I never tried this, have a look at outputs.conf for Forwarder config
token = <string>
* The access token for receiving data.
* Optional.
* If you configured an access token for receiving data from a forwarder,
Splunk software populates that token here.
* If you configured a receiver with an access token and that token is not
specified here, the receiver rejects all data sent to it.
* No default.
and look at inputs.conf for Indexer.
# Access control settings.
[splunktcptoken://<token name>]
* Use this stanza to specify forwarders from which to accept data.
* You must configure a token on the receiver, then configure the same
token on forwarders.
* The receiver discards data from forwarders that do not have the
token configured.
* This setting is enabled for all receiving ports.
* This setting is optional.
token = <string>
* Value of token.
Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...
Get Early Access to AI Playbook Authoring: Apply for the Alpha Private Preview ...
Reduce and Transform Your Firewall Data with Splunk Data Management
