Getting Data In

SSL between forwarders and indexers

jatin_patel
Path Finder

Is it possible to have index cluster tier which can support both non-ssl and ssl forwarders without running multiple instances?

Tags (3)
1 Solution

burwell
SplunkTrust
SplunkTrust

Building on above answers. Here are examples at least for Splunk 6.6

inputs.conf on the indexer

# non ssl
[splunktcp://<non_ssl_port>]

# ssl
[splunktcp-ssl:<ssl_port>]
[SSL]
requireClientCert = true
sslCommonNameToCheck = mycommonName
serverCert = /path/to/ssl/servercert.pem

outputs.conf on a forwarder using SSL

[tcpout]
defaultGroup             = splunkindexer-ssl

[tcpout:splunkindexer-ssl]
autoLBFrequency = 30
compressed  = false
server  = server1:<ssl_port>,server2:<ssl_port>,server3:<ssl_port>
clientCert  = /path_to_cert/servercert.pem
sslPassword  = password
sslRootCAPath  = /path_to_ca_cert/ca.cert.pem
sslCommonNameToCheck = mycommonName
sslVersions = tls1.2

View solution in original post

jatin_patel
Path Finder

Thanks everyone!!

0 Karma

burwell
SplunkTrust
SplunkTrust

Building on above answers. Here are examples at least for Splunk 6.6

inputs.conf on the indexer

# non ssl
[splunktcp://<non_ssl_port>]

# ssl
[splunktcp-ssl:<ssl_port>]
[SSL]
requireClientCert = true
sslCommonNameToCheck = mycommonName
serverCert = /path/to/ssl/servercert.pem

outputs.conf on a forwarder using SSL

[tcpout]
defaultGroup             = splunkindexer-ssl

[tcpout:splunkindexer-ssl]
autoLBFrequency = 30
compressed  = false
server  = server1:<ssl_port>,server2:<ssl_port>,server3:<ssl_port>
clientCert  = /path_to_cert/servercert.pem
sslPassword  = password
sslRootCAPath  = /path_to_ca_cert/ca.cert.pem
sslCommonNameToCheck = mycommonName
sslVersions = tls1.2

jatin_patel
Path Finder

Thanks so much for two answers!!

so,
I need inputs.conf with two ports one for one port for non-ssl(default 9997) and another for SSL?
Then just use SSL configs in outputs.conf for each forwarders where we need SSL?

is there some splunk docs out there which I can take a look?

0 Karma

skalliger
Motivator

Just look at the inputs.conf specifictaions. It's all described there.

Skalli

0 Karma

ddrillic
Ultra Champion

Sure, you can do that by setting on each forwarder outputs.conf as you choose to with or without ssl. If your outputs.conf is deployed via the apps then you can deploy to each set of forwarders the desired ssl or not configurations.

0 Karma

jkuepker_splunk
Splunk Employee
Splunk Employee

Yes, but they cannot be on the same port. You will need to have one [splunktcp-ssl:] stanza and [splunktcp:] stanza in your inputs.conf.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...