Getting Data In

Use a Heavy Forward to Receive Unencrypted Traffic and Send Encrypted

skycree_rh
Explorer

Hi,
I have setup a heavy forwarder to accept TCP unencrypted traffic from a Palo Alto device, that has the Palo Alto TA installed, on our local network. I would like to send the data encrypted using SSL to our indexer in AWS. The indexer in AWS is already configured and working for receiving SSL encrypted events. Is there a configuration that needs to be done on the heavy forwarder to allow this?

By running tcpdump I can see the unencrypted data coming from the Palo Alto device. I can see encrypted data going to our indexer but all that I can see is hostname related events in the _internal index, and no evidence of the pan:log sourcetype.

Thanks

0 Karma
1 Solution

skycree_rh
Explorer

For this particular situation the Palo Alto for Splunk App and TA only work with the main index. When I removed the custom index I could see the events populating.

View solution in original post

0 Karma

skycree_rh
Explorer

For this particular situation the Palo Alto for Splunk App and TA only work with the main index. When I removed the custom index I could see the events populating.

0 Karma

hardikJsheth
Motivator

Yes it can be done using SSL certificates. You need to add certificate information in your outputs.conf as follows:

[tcpout:test_clustered_indexers]

server = indexer.abc.com:9997
compressed = true
sslVerifyServerCert = true
sslRootCAPath = /opt/splunkforwarder/etc/auth/certificate/cert.pem
sslCertPath = /opt/splunkforwarder/etc/auth/certificate/CertFull.pem
sslPassword = <yourPassword>
useClientSSLCompression = true

and on the indexers machines need to add following stanza in inputs.conf.

[SSL]
password = <cert password>
rootCA =<path to your root CA certificate>
serverCert = <Path to your server certificate>
requireClientCert = true
0 Karma

skycree_rh
Explorer

Hi, thanks for the response. Yes, I do have that setup already which is why I'm confused as to why the events are not showing in the index.

0 Karma
Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...