Getting Data In

How can Splunk provide forwarding/receiving security ??

arlakathena
Explorer

When enabling the receiving function in a Splunk Enterprise instance (indexer for example), it will be listening on port 9997 by default (changeable) and any forwarder with the information (indexer IP:port ) can forward data and it will be well received.

My question here is: I think i am missing something but...

If a forwarder is a malicious or external one that can infect or disable the whole process by sending a massive storage ??

How can Splunk provide forwarding/receiving security (authentication / authorization ) ??

0 Karma
1 Solution

harsmarvania57
SplunkTrust
SplunkTrust

Hi,

I know there are 2 ways to secure indexer port 9997 (Or any other receiving port), you can use SSL certificate which you need to configure on Indexer and Forwarder. Please look at documentation http://docs.splunk.com/Documentation/Splunk/7.2.1/Security/Aboutsecuringdatafromforwarders

Other way is to secure Indexer and Forwarder using Token but I never tried this, have a look at outputs.conf for Forwarder config

token = <string>
* The access token for receiving data.
* Optional.
* If you configured an access token for receiving data from a forwarder, 
  Splunk software populates that token here.
* If you configured a receiver with an access token and that token is not
  specified here, the receiver rejects all data sent to it.
* No default.

and look at inputs.conf for Indexer.

# Access control settings.
[splunktcptoken://<token name>]
* Use this stanza to specify forwarders from which to accept data.
* You must configure a token on the receiver, then configure the same
  token on forwarders.
* The receiver discards data from forwarders that do not have the
  token configured.
* This setting is enabled for all receiving ports.
* This setting is optional.

token = <string>
* Value of token.

View solution in original post

harsmarvania57
SplunkTrust
SplunkTrust

Hi,

I know there are 2 ways to secure indexer port 9997 (Or any other receiving port), you can use SSL certificate which you need to configure on Indexer and Forwarder. Please look at documentation http://docs.splunk.com/Documentation/Splunk/7.2.1/Security/Aboutsecuringdatafromforwarders

Other way is to secure Indexer and Forwarder using Token but I never tried this, have a look at outputs.conf for Forwarder config

token = <string>
* The access token for receiving data.
* Optional.
* If you configured an access token for receiving data from a forwarder, 
  Splunk software populates that token here.
* If you configured a receiver with an access token and that token is not
  specified here, the receiver rejects all data sent to it.
* No default.

and look at inputs.conf for Indexer.

# Access control settings.
[splunktcptoken://<token name>]
* Use this stanza to specify forwarders from which to accept data.
* You must configure a token on the receiver, then configure the same
  token on forwarders.
* The receiver discards data from forwarders that do not have the
  token configured.
* This setting is enabled for all receiving ports.
* This setting is optional.

token = <string>
* Value of token.
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...