Getting Data In

How can Splunk provide forwarding/receiving security ??

arlakathena
Explorer

When enabling the receiving function in a Splunk Enterprise instance (indexer for example), it will be listening on port 9997 by default (changeable) and any forwarder with the information (indexer IP:port ) can forward data and it will be well received.

My question here is: I think i am missing something but...

If a forwarder is a malicious or external one that can infect or disable the whole process by sending a massive storage ??

How can Splunk provide forwarding/receiving security (authentication / authorization ) ??

0 Karma
1 Solution

harsmarvania57
SplunkTrust
SplunkTrust

Hi,

I know there are 2 ways to secure indexer port 9997 (Or any other receiving port), you can use SSL certificate which you need to configure on Indexer and Forwarder. Please look at documentation http://docs.splunk.com/Documentation/Splunk/7.2.1/Security/Aboutsecuringdatafromforwarders

Other way is to secure Indexer and Forwarder using Token but I never tried this, have a look at outputs.conf for Forwarder config

token = <string>
* The access token for receiving data.
* Optional.
* If you configured an access token for receiving data from a forwarder, 
  Splunk software populates that token here.
* If you configured a receiver with an access token and that token is not
  specified here, the receiver rejects all data sent to it.
* No default.

and look at inputs.conf for Indexer.

# Access control settings.
[splunktcptoken://<token name>]
* Use this stanza to specify forwarders from which to accept data.
* You must configure a token on the receiver, then configure the same
  token on forwarders.
* The receiver discards data from forwarders that do not have the
  token configured.
* This setting is enabled for all receiving ports.
* This setting is optional.

token = <string>
* Value of token.

View solution in original post

harsmarvania57
SplunkTrust
SplunkTrust

Hi,

I know there are 2 ways to secure indexer port 9997 (Or any other receiving port), you can use SSL certificate which you need to configure on Indexer and Forwarder. Please look at documentation http://docs.splunk.com/Documentation/Splunk/7.2.1/Security/Aboutsecuringdatafromforwarders

Other way is to secure Indexer and Forwarder using Token but I never tried this, have a look at outputs.conf for Forwarder config

token = <string>
* The access token for receiving data.
* Optional.
* If you configured an access token for receiving data from a forwarder, 
  Splunk software populates that token here.
* If you configured a receiver with an access token and that token is not
  specified here, the receiver rejects all data sent to it.
* No default.

and look at inputs.conf for Indexer.

# Access control settings.
[splunktcptoken://<token name>]
* Use this stanza to specify forwarders from which to accept data.
* You must configure a token on the receiver, then configure the same
  token on forwarders.
* The receiver discards data from forwarders that do not have the
  token configured.
* This setting is enabled for all receiving ports.
* This setting is optional.

token = <string>
* Value of token.
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...