- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How to configure sending encrypted syslog via TCP
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to configure sending encrypted syslog via TCP
Hi.
I am struggling with this since few days. 😞
I sure that I don't understand some steps correct so that's the reason.
So I trying to configure sendings logs from my NAS servers (Synology) to my Splunk instance.
Logs are correctly receiving when I not use SSL in my Synology sendings log configuration. But when I enable SSL and import certificate in Synology then the logs are receiving but are hashed.
I searching for simple instruction how to set up Splunk to receiving Input Data via TCP and self-signed certificate.
I generated certificates with this instruction
https://docs.splunk.com/Documentation/Splunk/8.0.2/Security/Howtoself-signcertificates
I generated files in /opt/splunk/etc/auth/mycerts
- CACertificate.csr
- CACertificate.pem
- CAPrivate.key
- ServerCertificate.csr
- ServerCertificate.pem
- ServerPrivate.key
After that I configure my Synology to sendings log via TCP port 514 with enabled SSL and imported CACertificate.pem
So I still don't understand how to configure Inputs.conf and server.conf in my Splunk Server to receiving ssl syslog over TCP
I've tried to configure like:
inputs.conf
[tcp-ssl:514]
sourcetype = syslog
[SSL]
rootCA = /opt/splunk/etc/auth/mycerts/CACertificate.pem
serverCert = /optsplunk/etc/auth/mycerts/ServerCertificate.pem
What I am doing wrong.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank's for help.
I am not sure did I correct understand how to implement this in my case.
On Splunk side a need to configure inputs.conf and server.conf.
The outputs.conf is use on client side (sending syslog device/ universal forwarder etc).
In my case I don't have option to configure password to sendings log from Synology. I Can only import certificate, if ssl is enabled to sending syslog.
I don't really understand why there is password needed. I don't setup any password for ssl. Is it require to set password.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So.. if I correct understand
inputs.conf (file on Splunk Server side)
server.cont (Splunk Server side)
outputs.conf (in my case is Synology NAS )
I don't understand why there is sslPassword needed.
I don't set up any password for SSL, is it require?.
On my synology server there is no option to set up password for sending logs via syslog.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Config you need, on the syslog:
- inputs.conf
[SSL]
serverCert = .pem
sslPassword =
requireClientCert = true
outputs.conf
[tcpout]
sslPassword =
clientCert = .pem
useClientSSLCompression = trueserver.conf
[sslConfig]
serverCert = .pem
sslRootCAPath = .pem
sslPassword =
This is for the certs only, include other key/pair as required
Observability | How to Think About Instrumentation Overhead (White Paper)
Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)
The Great Resilience Quest: 10th Leaderboard Update
