Getting Data In

How do I set up inputs.conf to allow for a cloud application to send syslog over a SSL connection?

scottrunyon
Contributor

Our anti-virus application is located in the "cloud" and is sending syslog data to the indexer over TCP port 6514. The application has the ability to use SSL to encrypt this data. Looking at previous answers, it looks like I should add [tcp-ssl://6514] to \etc\system\local\inputs.conf. After modifing the config and changing the remote end to use SSL, I get gibberish like this -

\x00\x00\x00 \x00\x00\x00
index = avprogram source = tcp:6514 sourcetype = syslog

When I remove the SSL requirement from the remote end, the data shows up as correct. It looks to me that I am missing a setting to decrypt the incoming data.

Any suggestions on what I need to do?

0 Karma
1 Solution

scottrunyon
Contributor

To solve the issue, in inputs.conf

Removed [tcp://6514] stanza

Added
[tcp-ssl://6514]
connection_host = dns
sourcetype = syslog
index = avprogram

[SSL]
rootCA = E:\Splunk\etc\auth\cacert.pem
serverCert = E:\Splunk\etc\auth\server.pem
password = *******************

Note: I had to add the entire path because this is a Windows system.

View solution in original post

scottrunyon
Contributor

To solve the issue, in inputs.conf

Removed [tcp://6514] stanza

Added
[tcp-ssl://6514]
connection_host = dns
sourcetype = syslog
index = avprogram

[SSL]
rootCA = E:\Splunk\etc\auth\cacert.pem
serverCert = E:\Splunk\etc\auth\server.pem
password = *******************

Note: I had to add the entire path because this is a Windows system.

FrankVl
Ultra Champion

Are you sure the TCP-SSL input is actually running properly? Did you remove the old TCP input config? Sounds like both are still in place and since splunk can only have 1 input on a TCP port, it picks the plain TCP input.

Try disabling/removing the old TCP input, or run the new input on another port, so you're sure you're troubleshooting the TCP-SSL input.

0 Karma

scottrunyon
Contributor

To get this to work, I had to remove the existing TCP input and add both the tcp-ssl and ssl sections.

0 Karma

FrankVl
Ultra Champion

So that solved it? Or you mean you did that already before you encountered this problem of receiving gibberish?

0 Karma
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...