Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Secure transport of log files to our Splunk Server

sipapress2go
Engager
‎05-07-2010 07:39 AM

How do I secure my log file stream from our primary server to our dedicated Splunk server? Are there any secured layers I can use for the TCP transport?

I have tried to do it with an SSH-tunnel, but when the tunnel breaks down, the next message going through the tunnel is lost.

What do you do?

Reply
1 Solution
Solved! Jump to solution
Solution

matt
Splunk Employee
Splunk Employee
‎05-07-2010 04:47 PM

Splunk forwarders can encrypt their communication with the indexer using SSL, this can also be used to authenticate the forwarders which will prevent unauthorized forwarders from polluting your index. Documentation on how to configure encryption and authentication of forwarders using SSL can be found here

View solution in original post

Reply
Solved! Jump to solution
Solution

matt
Splunk Employee
Splunk Employee
‎05-07-2010 04:47 PM

Splunk forwarders can encrypt their communication with the indexer using SSL, this can also be used to authenticate the forwarders which will prevent unauthorized forwarders from polluting your index. Documentation on how to configure encryption and authentication of forwarders using SSL can be found here

Reply
Solved! Jump to solution

dwaddle
SplunkTrust
SplunkTrust
‎05-07-2010 03:09 PM

Use a Splunk forwarder, configured in SSL mode. This is considered the best practice.

Reply
Solved! Jump to solution

CerielTjuh
Path Finder
‎05-07-2010 09:17 AM

Im not sure if this is what you mean but:

If the primary server is a windows server you could use a splunk forwarder with ssl connection, this will ensure data transport and data integrity. (does not require a extra license, forwarder licenses are free)

If the primary server is not a windows server, try a secure FTP connection to transfer the files to the splunk server.

The first method is approved by our SAS70 compliancy auditors, so should work for you as well 🙂

0 Karma
Reply
Solved! Jump to solution

CerielTjuh
Path Finder
‎05-10-2010 06:43 AM

true gkanapathy 😉

0 Karma
Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎05-07-2010 04:55 PM

the splunk forwarder with ssl will work between any two platforms on which splunk runs, which includes most unixes, linux, and windows. rsyslog is fine too, but you're more on your own with respect to setting up matching certificates, etc.

0 Karma
Reply
Solved! Jump to solution

CerielTjuh
Path Finder
‎05-07-2010 11:58 AM

Maybe next gen syslog.

Syslog but over a TCP connection.

http://www.debianhelp.co.uk/syslog-ng.htm

0 Karma
Reply
Solved! Jump to solution

sipapress2go
Engager
‎05-07-2010 09:28 AM

Both servers run Debian and also I want to be able to follow progress of the primary server in close to realtime (with a delay of max 10 sec.).

Perhaps rsyslog is something I should look into?

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Deprecation of Splunk Observability Kubernetes “Classic Navigator” UI starting ...

Access to Splunk Observability Kubernetes “Classic Navigator” UI will no longer be available starting January ...