Getting Data In

How to encrypt traffic between universal forwarder and indexer (getting error on server splunkd.log)?

snix
Communicator

I am trying to just set up a basic encryption between the Universal Forwarder and indexer using the certs that come with the install. I am trying to follow the directions on this Splunk doc but am running into issues:
https://docs.splunk.com/Documentation/Splunk/8.0.3/Security/ConfigureSplunkforwardingtousethedefault...

On the inputs.conf for the indexer found under C:\Program Files\Splunk\etc\system\local on my Splunk server I added this stanza:

[SSL]
serverCert = $SPLUNK_HOME/etc/auth/server.pem
sslPassword = password
requireClientCert = false

Then on the outputs.config for the UF found under C:\Program Files\SplunkUniversalForwarder\etc\system\local on one of my servers I have this for the config:

[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = [SplunkServerNameHere]:9997
clientCert = $SPLUNK_HOME/etc/auth/server.pem
sslPassword = password
sslVerifyServerCert = false

[sslConfig]
caCertFile = cacert.pem
caPath = $SPLUNK_HOME\etc\auth

[tcpout-server://[SplunkServerNameHere]:9997]

I then reset both the Splunk server and UF and found logs were still getting ingested into the indexer with no issues except from the UF that I was setting up to use an encrypted connection. It worked with no issue prior to configuration change but its traffic was getting rejected after the UF was reset. I looked at the splunkd.log file on the Splunk server and found this error:

ERROR TcpInputProc - Message rejected. Received unexpected message of size=369295616 bytes from src=[ClientIPHere]:60167 in streaming mode. Maximum message size allowed=67108864. (::) Possible invalid source sending data to splunktcp port or valid source sending unsupported payload.
Labels (2)
0 Karma

broberg
Communicator

Hi.
I did this yesterday and on the indexer i needed to change the

  • server.conf
  • inputs.conf

server.conf
[sslConfig]
sslRootCAPath = /opt/splunk/etc/auth/cacert.pem

inputs.conf
[splunktcp-ssl:9997]
disabled = 0

[SSL]
serverCert = $SPLUNK_HOME/etc/auth/server.pem
sslPassword = password
requireClientCert = false

On the uf, i needed to add
- outputs.conf
- server.conf

output.conf
[tcpout]
[tcpout:group1]
server = 192.168.1.79:9997
clientCert = $SPLUNK_HOME/etc/auth/server.pem
sslVerifyServerCert = false

server.conf
[sslConfig]
sslRootCAPath = /opt/splunkforwarder/etc/auth/cacert.pem

I don't know if its 100% correct, but it worked in my lab environment.

0 Karma

tejasode
Observer

How do we validate the encrypted log. post doing the changes ?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...