Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk ePO integration

jbv
Loves-to-Learn Lots
‎01-31-2024 10:18 PM

Hi,

Were trying to connect ePO via syslog to splunk, weve followed the steps provided in the ePO add-on documentation and were able to capture logs from ePO. However the logs are encrypted, raising this concern to our ePO support he suggested 2 things:

1. Enable the supported TLS/cipher suites by ePO on the splunk side
2. Add the splunk as a registered server and make sure test Syslog is successful


From the Splunk documentation we followed, were always getting failed test syslog and scouring around different docs and community posts on other SIEM brands, most seem to have had success (on connecting to ePO) once they have verified the supported cipher suite of the ePO exists and is enforced on their collector.

Going from this, is there a way to check/verify which cipher suites are used by Splunk. Ive seen the document regarding Splunk TLS, and it seems that the supported cipher suites for ePO are included in the default however is there a way to verify this? 

Our setup is as follows:
- Configured HF on a Win server
- Configured inputs.conf as below:

jbv_0-1706768163899.png


 

Labels (3)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎01-31-2024 11:01 PM

If you're getting binary data in your events, that means that TLS is not enabled properly on that port.

So the way to go about it would be:

1) Configure TLS on that port (which you supposedly did), restart the receiver (did you?) verify the connectivity with openssl s_client -connect

2) Test connectivity from ePO, check logs on both sides for TLS-related errors.

3) If that doesn't give you any clues, do a tcpdump from the traffic and see what parameters both sides demand/offer.

0 Karma
Reply

jbv
Loves-to-Learn Lots
‎01-31-2024 11:22 PM

Its not binary, more like hex-encoded, see below:

\x00}\x00\x00ye\xBBE\x9A9\xEA!\xBE<\x8F$W\xBB\xC9EP\xA3\x8Ff\xECn_\x9D\xEB\xE8\xF8i\xDE\xD7\x00\x00,\x00\x9F\x00k\x00\xA3\x00j\x009\x008\x00\x9D\x00=\x005\x00\xA2\x00@\x002\x00\x9E\x00g\x003\x00\x9C\x00<\x00/\x00\x00\x00 

1. yes, out input.conf attached above. after every change we restart splunk services
2. Were trying to get approval from ePO admin to run wireshark on the server, if not well just generate MER logs and send them back to ePO support

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎01-31-2024 11:27 PM

Ok. It is binary on the wire. It's just escaped either on input or when being presented in search (I never remember if Splunk does escape such stuff or input or stores it raw).

You can just run the tcpdump  on the Splunk's side - it should be the same of course

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...