How do I secure my log file stream from our primary server to our dedicated Splunk server? Are there any secured layers I can use for the TCP transport?
I have tried to do it with an SSH-tunnel, but when the tunnel breaks down, the next message going through the tunnel is lost.
What do you do?
Im not sure if this is what you mean but:
If the primary server is a windows server you could use a splunk forwarder with ssl connection, this will ensure data transport and data integrity. (does not require a extra license, forwarder licenses are free)
If the primary server is not a windows server, try a secure FTP connection to transfer the files to the splunk server.
The first method is approved by our SAS70 compliancy auditors, so should work for you as well 🙂
Both servers run Debian and also I want to be able to follow progress of the primary server in close to realtime (with a delay of max 10 sec.).
Perhaps rsyslog is something I should look into?
the splunk forwarder with ssl will work between any two platforms on which splunk runs, which includes most unixes, linux, and windows. rsyslog is fine too, but you're more on your own with respect to setting up matching certificates, etc.
Splunk forwarders can encrypt their communication with the indexer using SSL, this can also be used to authenticate the forwarders which will prevent unauthorized forwarders from polluting your index. Documentation on how to configure encryption and authentication of forwarders using SSL can be found here