Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Use a Heavy Forward to Receive Unencrypted Traffic and Send Encrypted

skycree_rh
Explorer
‎04-24-2017 09:44 PM

Hi,
I have setup a heavy forwarder to accept TCP unencrypted traffic from a Palo Alto device, that has the Palo Alto TA installed, on our local network. I would like to send the data encrypted using SSL to our indexer in AWS. The indexer in AWS is already configured and working for receiving SSL encrypted events. Is there a configuration that needs to be done on the heavy forwarder to allow this?

By running tcpdump I can see the unencrypted data coming from the Palo Alto device. I can see encrypted data going to our indexer but all that I can see is hostname related events in the _internal index, and no evidence of the pan:log sourcetype.

Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

skycree_rh
Explorer
‎04-25-2017 08:37 PM

For this particular situation the Palo Alto for Splunk App and TA only work with the main index. When I removed the custom index I could see the events populating.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

skycree_rh
Explorer
‎04-25-2017 08:37 PM

For this particular situation the Palo Alto for Splunk App and TA only work with the main index. When I removed the custom index I could see the events populating.

0 Karma
Reply
Solved! Jump to solution

hardikJsheth
Motivator
‎04-24-2017 11:41 PM

Yes it can be done using SSL certificates. You need to add certificate information in your outputs.conf as follows:

[tcpout:test_clustered_indexers]

server = indexer.abc.com:9997
compressed = true
sslVerifyServerCert = true
sslRootCAPath = /opt/splunkforwarder/etc/auth/certificate/cert.pem
sslCertPath = /opt/splunkforwarder/etc/auth/certificate/CertFull.pem
sslPassword = <yourPassword>
useClientSSLCompression = true

and on the indexers machines need to add following stanza in inputs.conf.

[SSL]
password = <cert password>
rootCA =<path to your root CA certificate>
serverCert = <Path to your server certificate>
requireClientCert = true
0 Karma
Reply
Solved! Jump to solution

skycree_rh
Explorer
‎04-25-2017 08:06 AM

Hi, thanks for the response. Yes, I do have that setup already which is why I'm confused as to why the events are not showing in the index.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...