Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to configure sending encrypted syslog via TCP

tskubisz
Engager
‎03-03-2020 04:52 AM

Hi.
I am struggling with this since few days. 😞

I sure that I don't understand some steps correct so that's the reason.
So I trying to configure sendings logs from my NAS servers (Synology) to my Splunk instance.

Logs are correctly receiving when I not use SSL in my Synology sendings log configuration. But when I enable SSL and import certificate in Synology then the logs are receiving but are hashed.

I searching for simple instruction how to set up Splunk to receiving Input Data via TCP and self-signed certificate.

I generated certificates with this instruction

https://docs.splunk.com/Documentation/Splunk/8.0.2/Security/Howtoself-signcertificates

I generated files in /opt/splunk/etc/auth/mycerts
- CACertificate.csr
- CACertificate.pem
- CAPrivate.key
- ServerCertificate.csr
- ServerCertificate.pem
- ServerPrivate.key

After that I configure my Synology to sendings log via TCP port 514 with enabled SSL and imported CACertificate.pem

So I still don't understand how to configure Inputs.conf and server.conf in my Splunk Server to receiving ssl syslog over TCP
I've tried to configure like:

inputs.conf
[tcp-ssl:514]
sourcetype = syslog
[SSL]
rootCA = /opt/splunk/etc/auth/mycerts/CACertificate.pem
serverCert = /optsplunk/etc/auth/mycerts/ServerCertificate.pem

What I am doing wrong.

0 Karma
Reply

tskubisz
Engager
‎03-04-2020 02:39 AM

Thank's for help.
I am not sure did I correct understand how to implement this in my case.

On Splunk side a need to configure inputs.conf and server.conf.
The outputs.conf is use on client side (sending syslog device/ universal forwarder etc).
In my case I don't have option to configure password to sendings log from Synology. I Can only import certificate, if ssl is enabled to sending syslog.

I don't really understand why there is password needed. I don't setup any password for ssl. Is it require to set password.

0 Karma
Reply

tskubisz
Engager
‎03-03-2020 11:58 PM

So.. if I correct understand

inputs.conf (file on Splunk Server side)
server.cont (Splunk Server side)
outputs.conf (in my case is Synology NAS )

I don't understand why there is sslPassword needed.
I don't set up any password for SSL, is it require?.
On my synology server there is no option to set up password for sending logs via syslog.

0 Karma
Reply

anmolpatel
Builder
‎03-03-2020 01:09 PM

Config you need, on the syslog:
- inputs.conf

[SSL]
serverCert = .pem
sslPassword = 
requireClientCert = true

  • outputs.conf

    [tcpout]
    sslPassword =
    clientCert = .pem
    useClientSSLCompression = true

  • server.conf

    [sslConfig]
    serverCert = .pem
    sslRootCAPath = .pem
    sslPassword =

This is for the certs only, include other key/pair as required

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...