Reading the questions that reference SSL certificates for splunk data I'm confused. If I simply use SSL to encrypt data from universal forwarders am I protected? I have universal forwarders sending data to heavy forwarders and heavy forwarders sending data to my splunk server. To be secure do i really have to put the ssl certificate and password on every universal and heavy forwarder? What to i gain by putting the certificate on the splunk server/indexer?
Hi there,
it depends on what you want to protect yourself from. If you just want to make sure that your network traffic is not transmitted in plain text, then gkanapathys answer in the following post is fine:
http://splunk-base.splunk.com/answers/397/how-to-configure-ssl-for-forwarding-and-receiving-data
If you want to make sure, that only known forwarders can send data to an indexer (1) and if you want to make sure that your forwarders are sending data to your known & trusted indexer(s)(2) then hexxs answer will be the way to go:
http://splunk-base.splunk.com/answers/7164/how-do-i-set-up-ssl-forwarding-with-new-self-signed-certi...
(1) A risk I see here is that anyone could send data to an indexer (or the heavy forwarder in your case) and you would end up with rubbish/unwanted data in your indexes
(2) If the forwarders do not verify the indexer (or the heavy forwarder in your case) someone could set up a fake server and might manage to get the forwarders to send their data to it
So I guess it depends on how critical the data is you have in Splunk and whether you are sending the traffic over an insecure network (the internet) or not and whether you can afford to spend some time on this or not.
Hi there,
it depends on what you want to protect yourself from. If you just want to make sure that your network traffic is not transmitted in plain text, then gkanapathys answer in the following post is fine:
http://splunk-base.splunk.com/answers/397/how-to-configure-ssl-for-forwarding-and-receiving-data
If you want to make sure, that only known forwarders can send data to an indexer (1) and if you want to make sure that your forwarders are sending data to your known & trusted indexer(s)(2) then hexxs answer will be the way to go:
http://splunk-base.splunk.com/answers/7164/how-do-i-set-up-ssl-forwarding-with-new-self-signed-certi...
(1) A risk I see here is that anyone could send data to an indexer (or the heavy forwarder in your case) and you would end up with rubbish/unwanted data in your indexes
(2) If the forwarders do not verify the indexer (or the heavy forwarder in your case) someone could set up a fake server and might manage to get the forwarders to send their data to it
So I guess it depends on how critical the data is you have in Splunk and whether you are sending the traffic over an insecure network (the internet) or not and whether you can afford to spend some time on this or not.