Hi.
I am struggling with this since few days. 😞
I sure that I don't understand some steps correct so that's the reason.
So I trying to configure sendings logs from my NAS servers (Synology) to my Splunk instance.
Logs are correctly receiving when I not use SSL in my Synology sendings log configuration. But when I enable SSL and import certificate in Synology then the logs are receiving but are hashed.
I searching for simple instruction how to set up Splunk to receiving Input Data via TCP and self-signed certificate.
I generated certificates with this instruction
https://docs.splunk.com/Documentation/Splunk/8.0.2/Security/Howtoself-signcertificates
I generated files in /opt/splunk/etc/auth/mycerts
- CACertificate.csr
- CACertificate.pem
- CAPrivate.key
- ServerCertificate.csr
- ServerCertificate.pem
- ServerPrivate.key
After that I configure my Synology to sendings log via TCP port 514 with enabled SSL and imported CACertificate.pem
So I still don't understand how to configure Inputs.conf and server.conf in my Splunk Server to receiving ssl syslog over TCP
I've tried to configure like:
inputs.conf
[tcp-ssl:514]
sourcetype = syslog
[SSL]
rootCA = /opt/splunk/etc/auth/mycerts/CACertificate.pem
serverCert = /optsplunk/etc/auth/mycerts/ServerCertificate.pem
What I am doing wrong.
Thank's for help.
I am not sure did I correct understand how to implement this in my case.
On Splunk side a need to configure inputs.conf and server.conf.
The outputs.conf is use on client side (sending syslog device/ universal forwarder etc).
In my case I don't have option to configure password to sendings log from Synology. I Can only import certificate, if ssl is enabled to sending syslog.
I don't really understand why there is password needed. I don't setup any password for ssl. Is it require to set password.
So.. if I correct understand
inputs.conf (file on Splunk Server side)
server.cont (Splunk Server side)
outputs.conf (in my case is Synology NAS )
I don't understand why there is sslPassword needed.
I don't set up any password for SSL, is it require?.
On my synology server there is no option to set up password for sending logs via syslog.
Config you need, on the syslog:
- inputs.conf
[SSL]
serverCert = .pem
sslPassword =
requireClientCert = true
outputs.conf
[tcpout]
sslPassword =
clientCert = .pem
useClientSSLCompression = true
server.conf
[sslConfig]
serverCert = .pem
sslRootCAPath = .pem
sslPassword =
This is for the certs only, include other key/pair as required