Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk ePO integration

jbv
Loves-to-Learn Lots
‎01-31-2024 10:18 PM

Hi,

Were trying to connect ePO via syslog to splunk, weve followed the steps provided in the ePO add-on documentation and were able to capture logs from ePO. However the logs are encrypted, raising this concern to our ePO support he suggested 2 things:

1. Enable the supported TLS/cipher suites by ePO on the splunk side
2. Add the splunk as a registered server and make sure test Syslog is successful


From the Splunk documentation we followed, were always getting failed test syslog and scouring around different docs and community posts on other SIEM brands, most seem to have had success (on connecting to ePO) once they have verified the supported cipher suite of the ePO exists and is enforced on their collector.

Going from this, is there a way to check/verify which cipher suites are used by Splunk. Ive seen the document regarding Splunk TLS, and it seems that the supported cipher suites for ePO are included in the default however is there a way to verify this? 

Our setup is as follows:
- Configured HF on a Win server
- Configured inputs.conf as below:

jbv_0-1706768163899.png


 

Labels (3)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎01-31-2024 11:01 PM

If you're getting binary data in your events, that means that TLS is not enabled properly on that port.

So the way to go about it would be:

1) Configure TLS on that port (which you supposedly did), restart the receiver (did you?) verify the connectivity with openssl s_client -connect

2) Test connectivity from ePO, check logs on both sides for TLS-related errors.

3) If that doesn't give you any clues, do a tcpdump from the traffic and see what parameters both sides demand/offer.

0 Karma
Reply

jbv
Loves-to-Learn Lots
‎01-31-2024 11:22 PM

Its not binary, more like hex-encoded, see below:

\x00}\x00\x00ye\xBBE\x9A9\xEA!\xBE<\x8F$W\xBB\xC9EP\xA3\x8Ff\xECn_\x9D\xEB\xE8\xF8i\xDE\xD7\x00\x00,\x00\x9F\x00k\x00\xA3\x00j\x009\x008\x00\x9D\x00=\x005\x00\xA2\x00@\x002\x00\x9E\x00g\x003\x00\x9C\x00<\x00/\x00\x00\x00 

1. yes, out input.conf attached above. after every change we restart splunk services
2. Were trying to get approval from ePO admin to run wireshark on the server, if not well just generate MER logs and send them back to ePO support

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎01-31-2024 11:27 PM

Ok. It is binary on the wire. It's just escaped either on input or when being presented in search (I never remember if Splunk does escape such stuff or input or stores it raw).

You can just run the tcpdump  on the Splunk's side - it should be the same of course

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...