Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Securing communcation between Universal Forwarder and Heavy Forwarder

rwcbp
Explorer
‎07-01-2015 07:37 AM

Splunk Docs do not specifically state that default encryption is active between Universal Forwarders and Heavy Forwarders, is it?

Also, if a self-signed or third party cert is used for this environment, is the Universal Forwarder the "client" of the Heavy Forwarder in this example?

Reply
1 Solution
Solved! Jump to solution
Solution

dwaddle
SplunkTrust
SplunkTrust
‎07-01-2015 07:47 AM

By default, no, there is no crypto between forwarders and indexers or forwarders and intermediate forwarders.

If you choose to do encryption, the certificate situation is up to you. However, I would STRONGLY suggest use of either a private CA or 3rd party certs. Don't use the default self-signed stuff. George Starcher and I did a .conf talk on this subject at .conf 2014, should be able to find it in the talk archives.

In the case of UF -> HF -> Indexer, the UF is an "SSL Client", the HF Is both an SSL "server" (toward the UF) and an SSL "client" (toward the indexer), and the indexer is an SSL "server"

View solution in original post

Reply
Solved! Jump to solution

karthikeyan_k14
New Member
‎06-07-2017 09:07 PM

In the case of UF -> HF -> Indexer, the UF is an "SSL Client", the HF Is both an SSL "server" (toward the UF) and an SSL "client" (toward the indexer), and the indexer is an SSL "server"...

we are also deploying the same setup, but HF is in cluster mode for LB with fail over setup.
can anyone help the SSL certificate configuration of all (UF,HF and IDX) input.conf and output,conf. We are deployed 3rd party pki certificate. using Common name fro all Forwarders,IDX and DS

I need below answers for below queries
1. Have to initiate separate certificate for all forwarders with rootpath ? or same has to use in ssl client and server
2. please share sample configuration

0 Karma
Reply
Solved! Jump to solution

rwcbp
Explorer
‎07-01-2015 07:50 AM

Thanks for the quick response. I will search for the .conf 2014 discussion, as well.

0 Karma
Reply
Solved! Jump to solution
Solution

dwaddle
SplunkTrust
SplunkTrust
‎07-01-2015 07:47 AM

By default, no, there is no crypto between forwarders and indexers or forwarders and intermediate forwarders.

If you choose to do encryption, the certificate situation is up to you. However, I would STRONGLY suggest use of either a private CA or 3rd party certs. Don't use the default self-signed stuff. George Starcher and I did a .conf talk on this subject at .conf 2014, should be able to find it in the talk archives.

In the case of UF -> HF -> Indexer, the UF is an "SSL Client", the HF Is both an SSL "server" (toward the UF) and an SSL "client" (toward the indexer), and the indexer is an SSL "server"

Reply
Solved! Jump to solution

dwaddle
SplunkTrust
SplunkTrust
‎07-01-2015 07:55 AM

Just remembered, I posted a copy of the slides post .conf with some followup comments based on audience questions at http://duanewaddle.com/splunk-conf-2014/

0 Karma
Reply
Solved! Jump to solution

rwcbp
Explorer
‎07-01-2015 08:02 AM

Much appreciated. Certainly saves time.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...