Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to encrypt traffic between universal forwarder and indexer (getting error on server splunkd.log)?

snix
Communicator
‎05-29-2020 12:30 PM

I am trying to just set up a basic encryption between the Universal Forwarder and indexer using the certs that come with the install. I am trying to follow the directions on this Splunk doc but am running into issues:
https://docs.splunk.com/Documentation/Splunk/8.0.3/Security/ConfigureSplunkforwardingtousethedefault...

On the inputs.conf for the indexer found under C:\Program Files\Splunk\etc\system\local on my Splunk server I added this stanza:

[SSL]
serverCert = $SPLUNK_HOME/etc/auth/server.pem
sslPassword = password
requireClientCert = false

Then on the outputs.config for the UF found under C:\Program Files\SplunkUniversalForwarder\etc\system\local on one of my servers I have this for the config:

[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = [SplunkServerNameHere]:9997
clientCert = $SPLUNK_HOME/etc/auth/server.pem
sslPassword = password
sslVerifyServerCert = false

[sslConfig]
caCertFile = cacert.pem
caPath = $SPLUNK_HOME\etc\auth

[tcpout-server://[SplunkServerNameHere]:9997]

I then reset both the Splunk server and UF and found logs were still getting ingested into the indexer with no issues except from the UF that I was setting up to use an encrypted connection. It worked with no issue prior to configuration change but its traffic was getting rejected after the UF was reset. I looked at the splunkd.log file on the Splunk server and found this error:

ERROR TcpInputProc - Message rejected. Received unexpected message of size=369295616 bytes from src=[ClientIPHere]:60167 in streaming mode. Maximum message size allowed=67108864. (::) Possible invalid source sending data to splunktcp port or valid source sending unsupported payload.
Labels (2)
Labels
0 Karma
Reply

broberg
Communicator
‎05-31-2020 10:53 PM

Hi.
I did this yesterday and on the indexer i needed to change the

  • server.conf
  • inputs.conf

server.conf
[sslConfig]
sslRootCAPath = /opt/splunk/etc/auth/cacert.pem

inputs.conf
[splunktcp-ssl:9997]
disabled = 0

[SSL]
serverCert = $SPLUNK_HOME/etc/auth/server.pem
sslPassword = password
requireClientCert = false

On the uf, i needed to add
- outputs.conf
- server.conf

output.conf
[tcpout]
[tcpout:group1]
server = 192.168.1.79:9997
clientCert = $SPLUNK_HOME/etc/auth/server.pem
sslVerifyServerCert = false

server.conf
[sslConfig]
sslRootCAPath = /opt/splunkforwarder/etc/auth/cacert.pem

I don't know if its 100% correct, but it worked in my lab environment.

0 Karma
Reply

tejasode
Observer
‎10-19-2022 07:48 AM

How do we validate the encrypted log. post doing the changes ?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

How to find the worst searches in your Splunk environment and how to fix them

Everyone knows Splunk is a powerful platform for running searches and doing data analytics. Your ...

Share Your Feedback: On Admin Config Service (ACS)!

Help Us Build a Better Admin Config Service Experience (ACS)   We Want Your Feedback on Admin Config Service ...