Installation
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to configure SSL/TLS for forwarding

Haleb
Path Finder
‎05-22-2024 04:55 AM

I tried to configure SSL/TSL connection between Forwarder and Indexer. 

On forwarder /opt/splunkforwarder/etc/system/local/output.conf:

 

 

[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
disabled = false
server = my.domain.com:9998
disabled = 0
clientCert = /opt/splunk/etc/auth/mycerts/client.pem
useClientSSLCompression = true

[tcpout-server://my.domain.com:9998]

 

 

Certificate  has been created by Certbot and prepared according to the instructions.  Works well for Splunk Web and I believe it works here too.
On indexer /opt/splunk/etc/system/local/inputs.conf

 

 

[splunktcp-ssl:9998]
disabled=0

[SSL]
serverCert = /opt/splunk/etc/auth/mycerts/test_full.pem

 

test_full.pem - prepared certificate from Certbot.
If I use forwarder without certificates everything works fine so there is no connection errors.
Output of splunk list forward-server

 

Configured but inactive forwards:
	my.domain.com:9998

 

 

From  /var/log/splunk/splunkd.log I can see the following error:

 

05-22-2024 11:51:03.823 +0000 ERROR TcpOutputFd [29087 TcpOutEloop] - Read error. Connection reset by peer
05-22-2024 11:51:03.823 +0000 WARN  AutoLoadBalancedConnectionStrategy [29087 TcpOutEloop] - Applying quarantine to ip=99.99.99.99 port=9998 connid=2 _numberOfFailures=2

 

Could you please help me debug the problem?

 

Labels (4)
Tags (3)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎05-22-2024 05:35 AM

Hi @Haleb,

did you followed all the instructions at https://docs.splunk.com/Documentation/Splunk/9.2.1/Security/ConfigureSplunkforwardingtousesignedcert.... ?

Ciao.

Giuseppe

0 Karma
Reply

Haleb
Path Finder
‎05-22-2024 05:37 AM

Hi, @gcusello 
Yes, i did

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎05-22-2024 05:41 AM

Hi @Haleb ,

it seems to be different that your: some options are missed.

Ciao.

Giuseppe

 

0 Karma
Reply

Haleb
Path Finder
‎05-22-2024 05:47 AM

@gcusello 
As i can see some of them are optional

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎05-22-2024 06:01 AM

Hi @Haleb,

not all of them, e.g. password that must be the same both on Indexers and on Forwarders.

Follow the configuration in the url.

Ciao.

Giuseppe

0 Karma
Reply

Haleb
Path Finder
‎05-22-2024 06:12 AM

Can clearify about what password are you talking about? Link that you send to me have only sslPassword field that should be used only if i use password for my certificate.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎05-22-2024 06:13 AM

Hi @Haleb,

exactly: use password for your certificate!

Ciao.

Giuseppe

0 Karma
Reply

Haleb
Path Finder
‎05-23-2024 01:43 AM

I tried to create a new certificate with password and still have the same error as previous:

Error encountered for connection from src=111.111.111.111:44922. error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol

0 Karma
Reply
Get Updates on the Splunk Community!

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...

Enterprise Security Content Update (ESCU) | New Releases

In October, the Splunk Threat Research Team had one release of new security content via the Enterprise ...