Getting Data In
Highlighted

How to configure sending encrypted syslog via TCP

Engager

Hi.
I am struggling with this since few days. 😞

I sure that I don't understand some steps correct so that's the reason.
So I trying to configure sendings logs from my NAS servers (Synology) to my Splunk instance.

Logs are correctly receiving when I not use SSL in my Synology sendings log configuration. But when I enable SSL and import certificate in Synology then the logs are receiving but are hashed.

I searching for simple instruction how to set up Splunk to receiving Input Data via TCP and self-signed certificate.

I generated certificates with this instruction

https://docs.splunk.com/Documentation/Splunk/8.0.2/Security/Howtoself-signcertificates

I generated files in /opt/splunk/etc/auth/mycerts
- CACertificate.csr
- CACertificate.pem
- CAPrivate.key
- ServerCertificate.csr
- ServerCertificate.pem
- ServerPrivate.key

After that I configure my Synology to sendings log via TCP port 514 with enabled SSL and imported CACertificate.pem

So I still don't understand how to configure Inputs.conf and server.conf in my Splunk Server to receiving ssl syslog over TCP
I've tried to configure like:

inputs.conf
[tcp-ssl:514]
sourcetype = syslog
[SSL]
rootCA = /opt/splunk/etc/auth/mycerts/CACertificate.pem
serverCert = /optsplunk/etc/auth/mycerts/ServerCertificate.pem

What I am doing wrong.

0 Karma
Highlighted

Re: How to configure sending encrypted syslog via TCP

Builder

Config you need, on the syslog:
- inputs.conf

[SSL]
serverCert = .pem
sslPassword = 
requireClientCert = true
  • outputs.conf

    [tcpout]
    sslPassword =
    clientCert = .pem
    useClientSSLCompression = true

  • server.conf

    [sslConfig]
    serverCert = .pem
    sslRootCAPath = .pem
    sslPassword =

This is for the certs only, include other key/pair as required

0 Karma
Highlighted

Re: How to configure sending encrypted syslog via TCP

Engager

So.. if I correct understand

inputs.conf (file on Splunk Server side)
server.cont (Splunk Server side)
outputs.conf (in my case is Synology NAS )

I don't understand why there is sslPassword needed.
I don't set up any password for SSL, is it require?.
On my synology server there is no option to set up password for sending logs via syslog.

0 Karma
Highlighted

Re: How to configure sending encrypted syslog via TCP

Engager

Thank's for help.
I am not sure did I correct understand how to implement this in my case.

On Splunk side a need to configure inputs.conf and server.conf.
The outputs.conf is use on client side (sending syslog device/ universal forwarder etc).
In my case I don't have option to configure password to sendings log from Synology. I Can only import certificate, if ssl is enabled to sending syslog.

I don't really understand why there is password needed. I don't setup any password for ssl. Is it require to set password.

0 Karma