Hey Everyone,
Hope your week is going well. I'm currently working to securely forward data from a Universal Forwarder to a Splunk Indexer.
I'm aware the universal forwarder can connect via SSL, but I'm hoping to find another way to secure the transmission.
Currently looking at HTTP Event Collector (HEC), with which I saw that I can generate a token within Splunk and add it to the forwarder. So that would be another possible way of securing the transmission of data to Splunk.
Are there any additional ways that I'm not seeing?
TitanAE
Both the Universal Forwarder and HEC use SSL to encrypt the in-flight data (you should replace the default certs). It sounds like you want an authentication method - like the HEC tokens - for the UF.
I've never used it myself, but it looks like the UF also has authentication tokens that you can use. Here's the link to that section of the documentation. It looks very similar to HEC (but there's apparently no GUI method to configure it).
Why would you want to avoid the Splunk to Splunk + SSL / TLS communication?
I'm not trying to avoid it. I'm trying to see if there is anything I can do in addition to SSL/TLS communication.