Getting Data In

How to configure my splunk app to get data over SSL ?

ranjyotiprakash
Communicator

How to configure my splunk app to get data over SSL ?

I am trying to generate reports based on the logs generated by Barracuda Web application firewall . The Barracuda appliance is configured to send the logs to my splunk instance through SSL connection type. Then how to configure my splunk app to get the data ?

Thanks...

0 Karma
1 Solution

Ayn
Legend

Have a look at the docs for inputs.conf. http://docs.splunk.com/Documentation/Splunk/5.0/Admin/Inputsconf

Specifically, there's the tcp-ssl input type that will receive data over an SSL connection. Also have a look at the SSL stanza for additional settings for SSL inputs.

[tcp-ssl:<port>]
* Use this stanza type if you are receiving encrypted, unparsed data from a forwarder or third-party system.
* Set <port> to the port on which the forwarder/third-party system is sending unparsed, encrypted data.

View solution in original post

0 Karma

TonyLeeVT
Builder

After checking splunkd.log and a little troubleshooting, I was able to get the tcp-ssl port to listen and receive ssl encrypted traffic from a third party device. I used the following steps:

Generate certs:

mkdir /opt/splunk/etc/certs
export OPENSSL_CONF=/opt/splunk/openssl/openssl.cnf
/opt/splunk/bin/genRootCA.sh -d /opt/splunk/etc/certs

/opt/splunk/bin/genSignedServerCert.sh -d /opt/splunk/etc/certs -n splunk -c splunk -p

**Note: It will ask you to enter a password

In inputs.conf, I used the following:

[tcp-ssl://6514]
Sourcetype = <your source type here>

[SSL]
rootCA = $SPLUNK_HOME/etc/certs/cacert.pem
serverCERT = $SPLUNK_HOME/etc/certs/splunk.pem
password = <The password that was used in the genSignedServerCert>

You may want to use netstat -an | grep :6514 to make sure the port is listening after a restart. If not, check /opt/splunk/var/log/splunkd/splunkd.log again for errors. Hope that helps!

Ayn
Legend

Have a look at the docs for inputs.conf. http://docs.splunk.com/Documentation/Splunk/5.0/Admin/Inputsconf

Specifically, there's the tcp-ssl input type that will receive data over an SSL connection. Also have a look at the SSL stanza for additional settings for SSL inputs.

[tcp-ssl:<port>]
* Use this stanza type if you are receiving encrypted, unparsed data from a forwarder or third-party system.
* Set <port> to the port on which the forwarder/third-party system is sending unparsed, encrypted data.
0 Karma

ChrisG
Splunk Employee
Splunk Employee

Following on Ayn's posting here...there is more detail about the configuration of inputs.conf and outputs.conf in the Securing Splunk Manual: http://docs.splunk.com/Documentation/Splunk/5.0/Security/Aboutsecuringdatafromforwarders .

0 Karma

dondky
Path Finder

Hi ranjyotiprakash,

The first question is how are you planning on forwarding the data into Splunk? Is it via syslog? You mention "The Barracuda appliance is configured to send the logs to my splunk instance through SSL connection type" Does this mean you already set it up?

I did some digging around and it looks like the Barracuda supports Syslog over SSL. You would have to configure your syslog receiver (Rsyslog, Syslog-ng) that is running on a dedicated syslog collector or the splunk indexer itself to receive via SSL. One you start receiving data via syslog over ssl you can then decide to forward the data to an indexer or index the data directly on the indexer.

See: http://docs.splunk.com/Documentation/Splunk/5.0/Data/Configureyourinputs

0 Karma

ranjyotiprakash
Communicator

Hi dondky,

Thanks for your reply.The Barracuda Web application Firewall is having three options available as connection type through which we can configure a syslog server on web application firewall. They are - UDP, TCP and SSL. For UDP and TCP, I configured the inputs.conf of my app as :

[udp://514]
connection_host = none
sourcetype = syslog
disabled = 0

[tcp://514]
connection_host = none
sourcetype = syslog
disabled = 0

But, If I choose the SSL option as the connection type for the syslog server. In that case, what should be the work around to get the data to my splunk setup ?
Thanks..

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...