Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I set up inputs.conf to allow for a cloud application to send syslog over a SSL connection?

scottrunyon
Contributor
‎10-11-2019 12:22 PM

Our anti-virus application is located in the "cloud" and is sending syslog data to the indexer over TCP port 6514. The application has the ability to use SSL to encrypt this data. Looking at previous answers, it looks like I should add [tcp-ssl://6514] to \etc\system\local\inputs.conf. After modifing the config and changing the remote end to use SSL, I get gibberish like this -

\x00\x00\x00 \x00\x00\x00
index = avprogram source = tcp:6514 sourcetype = syslog

When I remove the SSL requirement from the remote end, the data shows up as correct. It looks to me that I am missing a setting to decrypt the incoming data.

Any suggestions on what I need to do?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

scottrunyon
Contributor
‎11-14-2019 08:13 AM

To solve the issue, in inputs.conf

Removed [tcp://6514] stanza

Added
[tcp-ssl://6514]
connection_host = dns
sourcetype = syslog
index = avprogram

[SSL]
rootCA = E:\Splunk\etc\auth\cacert.pem
serverCert = E:\Splunk\etc\auth\server.pem
password = *******************

Note: I had to add the entire path because this is a Windows system.

View solution in original post

Reply
Solved! Jump to solution
Solution

scottrunyon
Contributor
‎11-14-2019 08:13 AM

To solve the issue, in inputs.conf

Removed [tcp://6514] stanza

Added
[tcp-ssl://6514]
connection_host = dns
sourcetype = syslog
index = avprogram

[SSL]
rootCA = E:\Splunk\etc\auth\cacert.pem
serverCert = E:\Splunk\etc\auth\server.pem
password = *******************

Note: I had to add the entire path because this is a Windows system.

Reply
Solved! Jump to solution

FrankVl
Ultra Champion
‎10-14-2019 01:50 AM

Are you sure the TCP-SSL input is actually running properly? Did you remove the old TCP input config? Sounds like both are still in place and since splunk can only have 1 input on a TCP port, it picks the plain TCP input.

Try disabling/removing the old TCP input, or run the new input on another port, so you're sure you're troubleshooting the TCP-SSL input.

0 Karma
Reply
Solved! Jump to solution

scottrunyon
Contributor
‎11-14-2019 07:03 AM

To get this to work, I had to remove the existing TCP input and add both the tcp-ssl and ssl sections.

0 Karma
Reply
Solved! Jump to solution

FrankVl
Ultra Champion
‎11-14-2019 07:30 AM

So that solved it? Or you mean you did that already before you encountered this problem of receiving gibberish?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...