Getting Data In
Highlighted

How to edit my AMI of Splunk's inputs.conf to allow TLS connections?

New Member

I am inexperienced with both Splunk and AWS, so keep that in mind. 😉
I wish to edit my AMI of Splunk Enterprise's inputs.conf file to allow TLS connections. I successfully accessed the AMI using SSH, and was able to su to get into the ./home/splunk folder. Once there I fond no items in it. No etc folder. No anything.

I can hit the web interface and use Splunk Web so I know it is running. I just can't find the config files. Any pointers would be much appreciated. I am sure I am missing something obvious....

Thanks for your time!

Nick

0 Karma
Highlighted

Re: How to edit my AMI of Splunk's inputs.conf to allow TLS connections?

Splunk Employee
Splunk Employee

Hello Nick,

From my understanding of your question you are wanting to enable TLS only connections for your Splunk Web interface. The default installation path for Splunk is:

/opt/splunk

The above directory is usually referenced using: $SPLUNKHOME/ . The changes that you are wanting to make, you would need to make to the following files located inside of the $SPLUNKHOME/etc/system/.... directory. The files that you would be working with are:

web.conf
server.conf

You will want to make sure that you are not modifying the files in the ../default/ (Default Folder/Directory -- $SPLUNKHOME/etc/system/default/ ) as these files should not be modified. These files will be replaced during an Upgrade and as such you will want to make sure that you make modifications to the files in the ../local/ (Local Folder/Directory -- $SPLUNKHOME/etc/system/local/ ).

For your files in the ../local/ directory all you would need to do is copy the Stanza from the ../default/web.conf (or server.conf) file into the ../local/web.conf (or server.conf) file and modify to your needs. Now you can also modify the Cipher Suite being used, and the following link will provide further information on how to complete that process:

https://docs.splunk.com/Documentation/Splunk/6.5.2/Security/Determineyourciphersuite

The following link will provide information on setting the SSL Version to be used:

https://docs.splunk.com/Documentation/Splunk/6.5.2/Security/SetyourSSLversion

This should provide the information needed to complete the changes that you are wanting to make to "Secure" your Splunk Web Interface.

Jeff Thompson

0 Karma
Highlighted

Re: How to edit my AMI of Splunk's inputs.conf to allow TLS connections?

New Member

Thanks Jeff. I am actually trying to enable a syslog over TLS feed. I just could not find the $SPLUNK_HOME$ on the AMI. Looks like it is /opt/splunk but I still can't seem to get it to work!

0 Karma
Highlighted

Re: How to edit my AMI of Splunk's inputs.conf to allow TLS connections?

Splunk Employee
Splunk Employee

Hello Nick,

Thank you for that additional information and to further assist you with this please review the following Splunk Answers page which discusses Enabling a Receiver for Syslog Ingestion:

https://answers.splunk.com/answers/506986/can-i-have-a-universal-forwarder-listen-on-port-ud-1.html#...

The information provided at the Link in that Answers Post and the information provided should help you get your Syslog data into Splunk.

0 Karma