Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Use a Heavy Forward to Receive Unencrypted Traffic and Send Encrypted

skycree_rh
Explorer
‎04-24-2017 09:44 PM

Hi,
I have setup a heavy forwarder to accept TCP unencrypted traffic from a Palo Alto device, that has the Palo Alto TA installed, on our local network. I would like to send the data encrypted using SSL to our indexer in AWS. The indexer in AWS is already configured and working for receiving SSL encrypted events. Is there a configuration that needs to be done on the heavy forwarder to allow this?

By running tcpdump I can see the unencrypted data coming from the Palo Alto device. I can see encrypted data going to our indexer but all that I can see is hostname related events in the _internal index, and no evidence of the pan:log sourcetype.

Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

skycree_rh
Explorer
‎04-25-2017 08:37 PM

For this particular situation the Palo Alto for Splunk App and TA only work with the main index. When I removed the custom index I could see the events populating.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

skycree_rh
Explorer
‎04-25-2017 08:37 PM

For this particular situation the Palo Alto for Splunk App and TA only work with the main index. When I removed the custom index I could see the events populating.

0 Karma
Reply
Solved! Jump to solution

hardikJsheth
Motivator
‎04-24-2017 11:41 PM

Yes it can be done using SSL certificates. You need to add certificate information in your outputs.conf as follows:

[tcpout:test_clustered_indexers]

server = indexer.abc.com:9997
compressed = true
sslVerifyServerCert = true
sslRootCAPath = /opt/splunkforwarder/etc/auth/certificate/cert.pem
sslCertPath = /opt/splunkforwarder/etc/auth/certificate/CertFull.pem
sslPassword = <yourPassword>
useClientSSLCompression = true

and on the indexers machines need to add following stanza in inputs.conf.

[SSL]
password = <cert password>
rootCA =<path to your root CA certificate>
serverCert = <Path to your server certificate>
requireClientCert = true
0 Karma
Reply
Solved! Jump to solution

skycree_rh
Explorer
‎04-25-2017 08:06 AM

Hi, thanks for the response. Yes, I do have that setup already which is why I'm confused as to why the events are not showing in the index.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...