Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to configure sending encrypted syslog via TCP

tskubisz
Engager
‎03-03-2020 04:52 AM

Hi.
I am struggling with this since few days. 😞

I sure that I don't understand some steps correct so that's the reason.
So I trying to configure sendings logs from my NAS servers (Synology) to my Splunk instance.

Logs are correctly receiving when I not use SSL in my Synology sendings log configuration. But when I enable SSL and import certificate in Synology then the logs are receiving but are hashed.

I searching for simple instruction how to set up Splunk to receiving Input Data via TCP and self-signed certificate.

I generated certificates with this instruction

https://docs.splunk.com/Documentation/Splunk/8.0.2/Security/Howtoself-signcertificates

I generated files in /opt/splunk/etc/auth/mycerts
- CACertificate.csr
- CACertificate.pem
- CAPrivate.key
- ServerCertificate.csr
- ServerCertificate.pem
- ServerPrivate.key

After that I configure my Synology to sendings log via TCP port 514 with enabled SSL and imported CACertificate.pem

So I still don't understand how to configure Inputs.conf and server.conf in my Splunk Server to receiving ssl syslog over TCP
I've tried to configure like:

inputs.conf
[tcp-ssl:514]
sourcetype = syslog
[SSL]
rootCA = /opt/splunk/etc/auth/mycerts/CACertificate.pem
serverCert = /optsplunk/etc/auth/mycerts/ServerCertificate.pem

What I am doing wrong.

0 Karma
Reply

tskubisz
Engager
‎03-04-2020 02:39 AM

Thank's for help.
I am not sure did I correct understand how to implement this in my case.

On Splunk side a need to configure inputs.conf and server.conf.
The outputs.conf is use on client side (sending syslog device/ universal forwarder etc).
In my case I don't have option to configure password to sendings log from Synology. I Can only import certificate, if ssl is enabled to sending syslog.

I don't really understand why there is password needed. I don't setup any password for ssl. Is it require to set password.

0 Karma
Reply

tskubisz
Engager
‎03-03-2020 11:58 PM

So.. if I correct understand

inputs.conf (file on Splunk Server side)
server.cont (Splunk Server side)
outputs.conf (in my case is Synology NAS )

I don't understand why there is sslPassword needed.
I don't set up any password for SSL, is it require?.
On my synology server there is no option to set up password for sending logs via syslog.

0 Karma
Reply

anmolpatel
Builder
‎03-03-2020 01:09 PM

Config you need, on the syslog:
- inputs.conf

[SSL]
serverCert = .pem
sslPassword = 
requireClientCert = true

  • outputs.conf

    [tcpout]
    sslPassword =
    clientCert = .pem
    useClientSSLCompression = true

  • server.conf

    [sslConfig]
    serverCert = .pem
    sslRootCAPath = .pem
    sslPassword =

This is for the certs only, include other key/pair as required

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...