Getting Data In

How can Splunk provide forwarding/receiving security ??

arlakathena
Explorer

When enabling the receiving function in a Splunk Enterprise instance (indexer for example), it will be listening on port 9997 by default (changeable) and any forwarder with the information (indexer IP:port ) can forward data and it will be well received.

My question here is: I think i am missing something but...

If a forwarder is a malicious or external one that can infect or disable the whole process by sending a massive storage ??

How can Splunk provide forwarding/receiving security (authentication / authorization ) ??

0 Karma
1 Solution

harsmarvania57
Ultra Champion

Hi,

I know there are 2 ways to secure indexer port 9997 (Or any other receiving port), you can use SSL certificate which you need to configure on Indexer and Forwarder. Please look at documentation http://docs.splunk.com/Documentation/Splunk/7.2.1/Security/Aboutsecuringdatafromforwarders

Other way is to secure Indexer and Forwarder using Token but I never tried this, have a look at outputs.conf for Forwarder config

token = <string>
* The access token for receiving data.
* Optional.
* If you configured an access token for receiving data from a forwarder, 
  Splunk software populates that token here.
* If you configured a receiver with an access token and that token is not
  specified here, the receiver rejects all data sent to it.
* No default.

and look at inputs.conf for Indexer.

# Access control settings.
[splunktcptoken://<token name>]
* Use this stanza to specify forwarders from which to accept data.
* You must configure a token on the receiver, then configure the same
  token on forwarders.
* The receiver discards data from forwarders that do not have the
  token configured.
* This setting is enabled for all receiving ports.
* This setting is optional.

token = <string>
* Value of token.

View solution in original post

harsmarvania57
Ultra Champion

Hi,

I know there are 2 ways to secure indexer port 9997 (Or any other receiving port), you can use SSL certificate which you need to configure on Indexer and Forwarder. Please look at documentation http://docs.splunk.com/Documentation/Splunk/7.2.1/Security/Aboutsecuringdatafromforwarders

Other way is to secure Indexer and Forwarder using Token but I never tried this, have a look at outputs.conf for Forwarder config

token = <string>
* The access token for receiving data.
* Optional.
* If you configured an access token for receiving data from a forwarder, 
  Splunk software populates that token here.
* If you configured a receiver with an access token and that token is not
  specified here, the receiver rejects all data sent to it.
* No default.

and look at inputs.conf for Indexer.

# Access control settings.
[splunktcptoken://<token name>]
* Use this stanza to specify forwarders from which to accept data.
* You must configure a token on the receiver, then configure the same
  token on forwarders.
* The receiver discards data from forwarders that do not have the
  token configured.
* This setting is enabled for all receiving ports.
* This setting is optional.

token = <string>
* Value of token.
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...