Hey splunksters,
-Just curious if anyone has had success getting secure syslog over tcp-port 6514 . The safenet applicance is supposed to send data to the indexer which is being treated like the "syslog" server. I have tried using my own certificates and carefully pointing the various inputs, web, and server.conf files LIKE THIS:
https://wiki.splunk.com/Community:SplunkWeb_SSL_SelfSignedCert_NewRootCA
AND LIKE THIS:
https://community.splunk.com/t5/Getting-Data-In/How-to-configure-my-splunk-app-to-get-data-over-SSL/...
-Through playing with the configuration stanzas, I am no longer getting any splunkd errors.
-However, the INFO field (in splunkd) provides these msg:
IPv4 port 6514 is reserved for raw input (SSL)
IPv4 port 6514 is reserved for splunk 2 splunk
IPv4 port 6514 will negotiate s2s protocol level 4
creating raw acceptor for IPv4 port 6514 with SSL
the server IS listening for port 6514, but wireshark does not show anything coming in or any flags for that port
-So, I'm wondering if I need to allow client authentication??
- Do I have to use the Certificates from the safenet side instead? They have sent over 3 certificates (KeySecure client certificate and PKI CA certificate/certificate chain )
If so, How do I do I import/install their certificates and apply them in the .confs
Thanks!