Getting Data In

How can Splunk provide forwarding/receiving security ??


When enabling the receiving function in a Splunk Enterprise instance (indexer for example), it will be listening on port 9997 by default (changeable) and any forwarder with the information (indexer IP:port ) can forward data and it will be well received.

My question here is: I think i am missing something but...

If a forwarder is a malicious or external one that can infect or disable the whole process by sending a massive storage ??

How can Splunk provide forwarding/receiving security (authentication / authorization ) ??

0 Karma

Re: How can Splunk provide forwarding/receiving security ??



I know there are 2 ways to secure indexer port 9997 (Or any other receiving port), you can use SSL certificate which you need to configure on Indexer and Forwarder. Please look at documentation

Other way is to secure Indexer and Forwarder using Token but I never tried this, have a look at outputs.conf for Forwarder config

token = <string>
* The access token for receiving data.
* Optional.
* If you configured an access token for receiving data from a forwarder, 
  Splunk software populates that token here.
* If you configured a receiver with an access token and that token is not
  specified here, the receiver rejects all data sent to it.
* No default.

and look at inputs.conf for Indexer.

# Access control settings.
[splunktcptoken://<token name>]
* Use this stanza to specify forwarders from which to accept data.
* You must configure a token on the receiver, then configure the same
  token on forwarders.
* The receiver discards data from forwarders that do not have the
  token configured.
* This setting is enabled for all receiving ports.
* This setting is optional.

token = <string>
* Value of token.

View solution in original post