Getting Data In

How to configure sending encrypted syslog via TCP


I am struggling with this since few days. 😞

I sure that I don't understand some steps correct so that's the reason.
So I trying to configure sendings logs from my NAS servers (Synology) to my Splunk instance.

Logs are correctly receiving when I not use SSL in my Synology sendings log configuration. But when I enable SSL and import certificate in Synology then the logs are receiving but are hashed.

I searching for simple instruction how to set up Splunk to receiving Input Data via TCP and self-signed certificate.

I generated certificates with this instruction

I generated files in /opt/splunk/etc/auth/mycerts
- CACertificate.csr
- CACertificate.pem
- CAPrivate.key
- ServerCertificate.csr
- ServerCertificate.pem
- ServerPrivate.key

After that I configure my Synology to sendings log via TCP port 514 with enabled SSL and imported CACertificate.pem

So I still don't understand how to configure Inputs.conf and server.conf in my Splunk Server to receiving ssl syslog over TCP
I've tried to configure like:

sourcetype = syslog
rootCA = /opt/splunk/etc/auth/mycerts/CACertificate.pem
serverCert = /optsplunk/etc/auth/mycerts/ServerCertificate.pem

What I am doing wrong.

0 Karma


Thank's for help.
I am not sure did I correct understand how to implement this in my case.

On Splunk side a need to configure inputs.conf and server.conf.
The outputs.conf is use on client side (sending syslog device/ universal forwarder etc).
In my case I don't have option to configure password to sendings log from Synology. I Can only import certificate, if ssl is enabled to sending syslog.

I don't really understand why there is password needed. I don't setup any password for ssl. Is it require to set password.

0 Karma


So.. if I correct understand

inputs.conf (file on Splunk Server side)
server.cont (Splunk Server side)
outputs.conf (in my case is Synology NAS )

I don't understand why there is sslPassword needed.
I don't set up any password for SSL, is it require?.
On my synology server there is no option to set up password for sending logs via syslog.

0 Karma


Config you need, on the syslog:
- inputs.conf

serverCert = .pem
sslPassword = 
requireClientCert = true
  • outputs.conf

    sslPassword =
    clientCert = .pem
    useClientSSLCompression = true

  • server.conf

    serverCert = .pem
    sslRootCAPath = .pem
    sslPassword =

This is for the certs only, include other key/pair as required

0 Karma
Get Updates on the Splunk Community!

Observability | How to Think About Instrumentation Overhead (White Paper)

Novice observability practitioners are often overly obsessed with performance. They might approach ...

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

IDC Report: Enterprises Gain Higher Efficiency and Resiliency With Migration to Cloud  Today many enterprises ...

The Great Resilience Quest: 10th Leaderboard Update

The tenth leaderboard update (11.23-12.05) for The Great Resilience Quest is out >> As our brave ...