Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

inputs.conf and outputs.conf for SSL encryption

chintan_shah
Path Finder
‎10-23-2017 03:29 PM

Hi,
Can someone share with me the recent inputs & outputs conf file for SSL encryption? I am having some trouble for securing the connection between forwarder and indexer.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-24-2017 12:33 AM

Hi chintan_shah,
this is an example that I used:
outputs.conf on Forwarders

[tcpout]
defaultGroup = default-autolb-group

[tcpout-server://xx.xxx.xxx.xxx:9997]
[tcpout-server://yy.yyy.yyy.yyy:9997]

[tcpout:default-autolb-group]
server = xx.xxx.xxx.xxx:9997, yy.yyy.yyy.yyy:9997
disabled=false
sslCertPath = $SPLUNK_HOME/etc/auth/server.pem
sslPassword = password
sslRootCAPath = $SPLUNK_HOME/etc/auth/cacert.pem
sslVerifyServerCert = false
useACK=true
disabled = false

inputs.conf on Indexers

[SSL]
serverCert = $SPLUNK_HOME/etc/auth/server.pem
password = password
requireClientCert = false

This is a default configuration that you can modify following https://docs.splunk.com/Documentation/Splunk/7.0.0/Security/AboutsecuringyourSplunkconfigurationwith... .
Obvioulsy change password!

Bye.
Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-24-2017 12:33 AM

Hi chintan_shah,
this is an example that I used:
outputs.conf on Forwarders

[tcpout]
defaultGroup = default-autolb-group

[tcpout-server://xx.xxx.xxx.xxx:9997]
[tcpout-server://yy.yyy.yyy.yyy:9997]

[tcpout:default-autolb-group]
server = xx.xxx.xxx.xxx:9997, yy.yyy.yyy.yyy:9997
disabled=false
sslCertPath = $SPLUNK_HOME/etc/auth/server.pem
sslPassword = password
sslRootCAPath = $SPLUNK_HOME/etc/auth/cacert.pem
sslVerifyServerCert = false
useACK=true
disabled = false

inputs.conf on Indexers

[SSL]
serverCert = $SPLUNK_HOME/etc/auth/server.pem
password = password
requireClientCert = false

This is a default configuration that you can modify following https://docs.splunk.com/Documentation/Splunk/7.0.0/Security/AboutsecuringyourSplunkconfigurationwith... .
Obvioulsy change password!

Bye.
Giuseppe

Reply
Solved! Jump to solution

kunalmao
Communicator
‎10-23-2017 08:40 PM

https://answers.splunk.com/answers/397/how-to-configure-ssl-for-forwarding-and-receiving-data.html

just look at this answer, hope it helps.

Please let me know if this solution does not fit you.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...