Getting Data In

How can Splunk provide forwarding/receiving security ??

arlakathena
Explorer

When enabling the receiving function in a Splunk Enterprise instance (indexer for example), it will be listening on port 9997 by default (changeable) and any forwarder with the information (indexer IP:port ) can forward data and it will be well received.

My question here is: I think i am missing something but...

If a forwarder is a malicious or external one that can infect or disable the whole process by sending a massive storage ??

How can Splunk provide forwarding/receiving security (authentication / authorization ) ??

0 Karma
1 Solution

harsmarvania57
Ultra Champion

Hi,

I know there are 2 ways to secure indexer port 9997 (Or any other receiving port), you can use SSL certificate which you need to configure on Indexer and Forwarder. Please look at documentation http://docs.splunk.com/Documentation/Splunk/7.2.1/Security/Aboutsecuringdatafromforwarders

Other way is to secure Indexer and Forwarder using Token but I never tried this, have a look at outputs.conf for Forwarder config

token = <string>
* The access token for receiving data.
* Optional.
* If you configured an access token for receiving data from a forwarder, 
  Splunk software populates that token here.
* If you configured a receiver with an access token and that token is not
  specified here, the receiver rejects all data sent to it.
* No default.

and look at inputs.conf for Indexer.

# Access control settings.
[splunktcptoken://<token name>]
* Use this stanza to specify forwarders from which to accept data.
* You must configure a token on the receiver, then configure the same
  token on forwarders.
* The receiver discards data from forwarders that do not have the
  token configured.
* This setting is enabled for all receiving ports.
* This setting is optional.

token = <string>
* Value of token.

View solution in original post

harsmarvania57
Ultra Champion

Hi,

I know there are 2 ways to secure indexer port 9997 (Or any other receiving port), you can use SSL certificate which you need to configure on Indexer and Forwarder. Please look at documentation http://docs.splunk.com/Documentation/Splunk/7.2.1/Security/Aboutsecuringdatafromforwarders

Other way is to secure Indexer and Forwarder using Token but I never tried this, have a look at outputs.conf for Forwarder config

token = <string>
* The access token for receiving data.
* Optional.
* If you configured an access token for receiving data from a forwarder, 
  Splunk software populates that token here.
* If you configured a receiver with an access token and that token is not
  specified here, the receiver rejects all data sent to it.
* No default.

and look at inputs.conf for Indexer.

# Access control settings.
[splunktcptoken://<token name>]
* Use this stanza to specify forwarders from which to accept data.
* You must configure a token on the receiver, then configure the same
  token on forwarders.
* The receiver discards data from forwarders that do not have the
  token configured.
* This setting is enabled for all receiving ports.
* This setting is optional.

token = <string>
* Value of token.
Get Updates on the Splunk Community!

Message Parsing in SOCK

Introduction This blog post is part of an ongoing series on SOCK enablement. In this blog post, I will write ...

Exploring the OpenTelemetry Collector’s Kubernetes annotation-based discovery

We’ve already explored a few topics around observability in a Kubernetes environment -- Common Failures in a ...

Use ‘em or lose ‘em | Splunk training units do expire

Whether it’s hummus, a ham sandwich, or a human, almost everything in this world has an expiration date. And, ...