Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Securing communcation between Universal Forwarder and Heavy Forwarder

rwcbp
Explorer
‎07-01-2015 07:37 AM

Splunk Docs do not specifically state that default encryption is active between Universal Forwarders and Heavy Forwarders, is it?

Also, if a self-signed or third party cert is used for this environment, is the Universal Forwarder the "client" of the Heavy Forwarder in this example?

Reply
1 Solution
Solved! Jump to solution
Solution

dwaddle
SplunkTrust
SplunkTrust
‎07-01-2015 07:47 AM

By default, no, there is no crypto between forwarders and indexers or forwarders and intermediate forwarders.

If you choose to do encryption, the certificate situation is up to you. However, I would STRONGLY suggest use of either a private CA or 3rd party certs. Don't use the default self-signed stuff. George Starcher and I did a .conf talk on this subject at .conf 2014, should be able to find it in the talk archives.

In the case of UF -> HF -> Indexer, the UF is an "SSL Client", the HF Is both an SSL "server" (toward the UF) and an SSL "client" (toward the indexer), and the indexer is an SSL "server"

View solution in original post

Reply
Solved! Jump to solution

karthikeyan_k14
New Member
‎06-07-2017 09:07 PM

In the case of UF -> HF -> Indexer, the UF is an "SSL Client", the HF Is both an SSL "server" (toward the UF) and an SSL "client" (toward the indexer), and the indexer is an SSL "server"...

we are also deploying the same setup, but HF is in cluster mode for LB with fail over setup.
can anyone help the SSL certificate configuration of all (UF,HF and IDX) input.conf and output,conf. We are deployed 3rd party pki certificate. using Common name fro all Forwarders,IDX and DS

I need below answers for below queries
1. Have to initiate separate certificate for all forwarders with rootpath ? or same has to use in ssl client and server
2. please share sample configuration

0 Karma
Reply
Solved! Jump to solution

rwcbp
Explorer
‎07-01-2015 07:50 AM

Thanks for the quick response. I will search for the .conf 2014 discussion, as well.

0 Karma
Reply
Solved! Jump to solution
Solution

dwaddle
SplunkTrust
SplunkTrust
‎07-01-2015 07:47 AM

By default, no, there is no crypto between forwarders and indexers or forwarders and intermediate forwarders.

If you choose to do encryption, the certificate situation is up to you. However, I would STRONGLY suggest use of either a private CA or 3rd party certs. Don't use the default self-signed stuff. George Starcher and I did a .conf talk on this subject at .conf 2014, should be able to find it in the talk archives.

In the case of UF -> HF -> Indexer, the UF is an "SSL Client", the HF Is both an SSL "server" (toward the UF) and an SSL "client" (toward the indexer), and the indexer is an SSL "server"

Reply
Solved! Jump to solution

dwaddle
SplunkTrust
SplunkTrust
‎07-01-2015 07:55 AM

Just remembered, I posted a copy of the slides post .conf with some followup comments based on audience questions at http://duanewaddle.com/splunk-conf-2014/

0 Karma
Reply
Solved! Jump to solution

rwcbp
Explorer
‎07-01-2015 08:02 AM

Much appreciated. Certainly saves time.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

 Prepare to elevate your security operations with the powerful upgrade to Splunk Enterprise Security 8.x! This ...

Get Early Access to AI Playbook Authoring: Apply for the Alpha Private Preview ...

Passionate about security automation? Apply now to our AI Playbook Authoring Alpha private preview ...

Reduce and Transform Your Firewall Data with Splunk Data Management

Managing high-volume firewall data has always been a challenge. Noisy events and verbose traffic logs often ...