I am trying to just set up a basic encryption between the Universal Forwarder and indexer using the certs that come with the install. I am trying to follow the directions on this Splunk doc but am running into issues:
https://docs.splunk.com/Documentation/Splunk/8.0.3/Security/ConfigureSplunkforwardingtousethedefault...
On the inputs.conf for the indexer found under C:\Program Files\Splunk\etc\system\local
on my Splunk server I added this stanza:
[SSL]
serverCert = $SPLUNK_HOME/etc/auth/server.pem
sslPassword = password
requireClientCert = false
Then on the outputs.config
for the UF found under C:\Program Files\SplunkUniversalForwarder\etc\system\local
on one of my servers I have this for the config:
[tcpout]
defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
server = [SplunkServerNameHere]:9997
clientCert = $SPLUNK_HOME/etc/auth/server.pem
sslPassword = password
sslVerifyServerCert = false
[sslConfig]
caCertFile = cacert.pem
caPath = $SPLUNK_HOME\etc\auth
[tcpout-server://[SplunkServerNameHere]:9997]
I then reset both the Splunk server and UF and found logs were still getting ingested into the indexer with no issues except from the UF that I was setting up to use an encrypted connection. It worked with no issue prior to configuration change but its traffic was getting rejected after the UF was reset. I looked at the splunkd.log
file on the Splunk server and found this error:
ERROR TcpInputProc - Message rejected. Received unexpected message of size=369295616 bytes from src=[ClientIPHere]:60167 in streaming mode. Maximum message size allowed=67108864. (::) Possible invalid source sending data to splunktcp port or valid source sending unsupported payload.
Hi.
I did this yesterday and on the indexer i needed to change the
server.conf
[sslConfig]
sslRootCAPath = /opt/splunk/etc/auth/cacert.pem
inputs.conf
[splunktcp-ssl:9997]
disabled = 0
[SSL]
serverCert = $SPLUNK_HOME/etc/auth/server.pem
sslPassword = password
requireClientCert = false
On the uf, i needed to add
- outputs.conf
- server.conf
output.conf
[tcpout]
[tcpout:group1]
server = 192.168.1.79:9997
clientCert = $SPLUNK_HOME/etc/auth/server.pem
sslVerifyServerCert = false
server.conf
[sslConfig]
sslRootCAPath = /opt/splunkforwarder/etc/auth/cacert.pem
I don't know if its 100% correct, but it worked in my lab environment.
How do we validate the encrypted log. post doing the changes ?