I am trying to just set up a basic encryption between the Universal Forwarder and indexer using the certs that come with the install. I am trying to follow the directions on this Splunk doc but am running into issues:
On the inputs.conf for the indexer found under
C:\Program Files\Splunk\etc\system\local on my Splunk server I added this stanza:
[SSL] serverCert = $SPLUNK_HOME/etc/auth/server.pem sslPassword = password requireClientCert = false
Then on the
outputs.config for the UF found under
C:\Program Files\SplunkUniversalForwarder\etc\system\local on one of my servers I have this for the config:
[tcpout] defaultGroup = default-autolb-group [tcpout:default-autolb-group] server = [SplunkServerNameHere]:9997 clientCert = $SPLUNK_HOME/etc/auth/server.pem sslPassword = password sslVerifyServerCert = false [sslConfig] caCertFile = cacert.pem caPath = $SPLUNK_HOME\etc\auth [tcpout-server://[SplunkServerNameHere]:9997]
I then reset both the Splunk server and UF and found logs were still getting ingested into the indexer with no issues except from the UF that I was setting up to use an encrypted connection. It worked with no issue prior to configuration change but its traffic was getting rejected after the UF was reset. I looked at the
splunkd.log file on the Splunk server and found this error:
ERROR TcpInputProc - Message rejected. Received unexpected message of size=369295616 bytes from src=[ClientIPHere]:60167 in streaming mode. Maximum message size allowed=67108864. (::) Possible invalid source sending data to splunktcp port or valid source sending unsupported payload.
I did this yesterday and on the indexer i needed to change the
sslRootCAPath = /opt/splunk/etc/auth/cacert.pem
disabled = 0
serverCert = $SPLUNK_HOME/etc/auth/server.pem
sslPassword = password
requireClientCert = false
On the uf, i needed to add
server = 192.168.1.79:9997
clientCert = $SPLUNK_HOME/etc/auth/server.pem
sslVerifyServerCert = false
sslRootCAPath = /opt/splunkforwarder/etc/auth/cacert.pem
I don't know if its 100% correct, but it worked in my lab environment.
How do we validate the encrypted log. post doing the changes ?