Getting Data In

SSL on universal, heavy, and splunk server?

byronschwab
Engager

Reading the questions that reference SSL certificates for splunk data I'm confused. If I simply use SSL to encrypt data from universal forwarders am I protected? I have universal forwarders sending data to heavy forwarders and heavy forwarders sending data to my splunk server. To be secure do i really have to put the ssl certificate and password on every universal and heavy forwarder? What to i gain by putting the certificate on the splunk server/indexer?

1 Solution

chris
Motivator

Hi there,

it depends on what you want to protect yourself from. If you just want to make sure that your network traffic is not transmitted in plain text, then gkanapathys answer in the following post is fine:

http://splunk-base.splunk.com/answers/397/how-to-configure-ssl-for-forwarding-and-receiving-data

If you want to make sure, that only known forwarders can send data to an indexer (1) and if you want to make sure that your forwarders are sending data to your known & trusted indexer(s)(2) then hexxs answer will be the way to go:

http://splunk-base.splunk.com/answers/7164/how-do-i-set-up-ssl-forwarding-with-new-self-signed-certi...

(1) A risk I see here is that anyone could send data to an indexer (or the heavy forwarder in your case) and you would end up with rubbish/unwanted data in your indexes

(2) If the forwarders do not verify the indexer (or the heavy forwarder in your case) someone could set up a fake server and might manage to get the forwarders to send their data to it

So I guess it depends on how critical the data is you have in Splunk and whether you are sending the traffic over an insecure network (the internet) or not and whether you can afford to spend some time on this or not.

View solution in original post

chris
Motivator

Hi there,

it depends on what you want to protect yourself from. If you just want to make sure that your network traffic is not transmitted in plain text, then gkanapathys answer in the following post is fine:

http://splunk-base.splunk.com/answers/397/how-to-configure-ssl-for-forwarding-and-receiving-data

If you want to make sure, that only known forwarders can send data to an indexer (1) and if you want to make sure that your forwarders are sending data to your known & trusted indexer(s)(2) then hexxs answer will be the way to go:

http://splunk-base.splunk.com/answers/7164/how-do-i-set-up-ssl-forwarding-with-new-self-signed-certi...

(1) A risk I see here is that anyone could send data to an indexer (or the heavy forwarder in your case) and you would end up with rubbish/unwanted data in your indexes

(2) If the forwarders do not verify the indexer (or the heavy forwarder in your case) someone could set up a fake server and might manage to get the forwarders to send their data to it

So I guess it depends on how critical the data is you have in Splunk and whether you are sending the traffic over an insecure network (the internet) or not and whether you can afford to spend some time on this or not.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...