Getting Data In

How to encrypt traffic between universal forwarder and indexer (getting error on server splunkd.log)?

snix
Communicator

I am trying to just set up a basic encryption between the Universal Forwarder and indexer using the certs that come with the install. I am trying to follow the directions on this Splunk doc but am running into issues:
https://docs.splunk.com/Documentation/Splunk/8.0.3/Security/ConfigureSplunkforwardingtousethedefault...

On the inputs.conf for the indexer found under C:\Program Files\Splunk\etc\system\local on my Splunk server I added this stanza:

[SSL]
serverCert = $SPLUNK_HOME/etc/auth/server.pem
sslPassword = password
requireClientCert = false

Then on the outputs.config for the UF found under C:\Program Files\SplunkUniversalForwarder\etc\system\local on one of my servers I have this for the config:

[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = [SplunkServerNameHere]:9997
clientCert = $SPLUNK_HOME/etc/auth/server.pem
sslPassword = password
sslVerifyServerCert = false

[sslConfig]
caCertFile = cacert.pem
caPath = $SPLUNK_HOME\etc\auth

[tcpout-server://[SplunkServerNameHere]:9997]

I then reset both the Splunk server and UF and found logs were still getting ingested into the indexer with no issues except from the UF that I was setting up to use an encrypted connection. It worked with no issue prior to configuration change but its traffic was getting rejected after the UF was reset. I looked at the splunkd.log file on the Splunk server and found this error:

ERROR TcpInputProc - Message rejected. Received unexpected message of size=369295616 bytes from src=[ClientIPHere]:60167 in streaming mode. Maximum message size allowed=67108864. (::) Possible invalid source sending data to splunktcp port or valid source sending unsupported payload.
Labels (2)
0 Karma

broberg
Communicator

Hi.
I did this yesterday and on the indexer i needed to change the

  • server.conf
  • inputs.conf

server.conf
[sslConfig]
sslRootCAPath = /opt/splunk/etc/auth/cacert.pem

inputs.conf
[splunktcp-ssl:9997]
disabled = 0

[SSL]
serverCert = $SPLUNK_HOME/etc/auth/server.pem
sslPassword = password
requireClientCert = false

On the uf, i needed to add
- outputs.conf
- server.conf

output.conf
[tcpout]
[tcpout:group1]
server = 192.168.1.79:9997
clientCert = $SPLUNK_HOME/etc/auth/server.pem
sslVerifyServerCert = false

server.conf
[sslConfig]
sslRootCAPath = /opt/splunkforwarder/etc/auth/cacert.pem

I don't know if its 100% correct, but it worked in my lab environment.

0 Karma

tejasode
New Member

How do we validate the encrypted log. post doing the changes ?

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...