Getting Data In

How to encrypt traffic between universal forwarder and indexer (getting error on server splunkd.log)?

snix
Communicator

I am trying to just set up a basic encryption between the Universal Forwarder and indexer using the certs that come with the install. I am trying to follow the directions on this Splunk doc but am running into issues:
https://docs.splunk.com/Documentation/Splunk/8.0.3/Security/ConfigureSplunkforwardingtousethedefault...

On the inputs.conf for the indexer found under C:\Program Files\Splunk\etc\system\local on my Splunk server I added this stanza:

[SSL]
serverCert = $SPLUNK_HOME/etc/auth/server.pem
sslPassword = password
requireClientCert = false

Then on the outputs.config for the UF found under C:\Program Files\SplunkUniversalForwarder\etc\system\local on one of my servers I have this for the config:

[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = [SplunkServerNameHere]:9997
clientCert = $SPLUNK_HOME/etc/auth/server.pem
sslPassword = password
sslVerifyServerCert = false

[sslConfig]
caCertFile = cacert.pem
caPath = $SPLUNK_HOME\etc\auth

[tcpout-server://[SplunkServerNameHere]:9997]

I then reset both the Splunk server and UF and found logs were still getting ingested into the indexer with no issues except from the UF that I was setting up to use an encrypted connection. It worked with no issue prior to configuration change but its traffic was getting rejected after the UF was reset. I looked at the splunkd.log file on the Splunk server and found this error:

ERROR TcpInputProc - Message rejected. Received unexpected message of size=369295616 bytes from src=[ClientIPHere]:60167 in streaming mode. Maximum message size allowed=67108864. (::) Possible invalid source sending data to splunktcp port or valid source sending unsupported payload.
Labels (2)
0 Karma

broberg
Communicator

Hi.
I did this yesterday and on the indexer i needed to change the

  • server.conf
  • inputs.conf

server.conf
[sslConfig]
sslRootCAPath = /opt/splunk/etc/auth/cacert.pem

inputs.conf
[splunktcp-ssl:9997]
disabled = 0

[SSL]
serverCert = $SPLUNK_HOME/etc/auth/server.pem
sslPassword = password
requireClientCert = false

On the uf, i needed to add
- outputs.conf
- server.conf

output.conf
[tcpout]
[tcpout:group1]
server = 192.168.1.79:9997
clientCert = $SPLUNK_HOME/etc/auth/server.pem
sslVerifyServerCert = false

server.conf
[sslConfig]
sslRootCAPath = /opt/splunkforwarder/etc/auth/cacert.pem

I don't know if its 100% correct, but it worked in my lab environment.

0 Karma

tejasode
Observer

How do we validate the encrypted log. post doing the changes ?

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...