Installation

How to configure SSL/TLS for forwarding

Haleb
Path Finder

I tried to configure SSL/TSL connection between Forwarder and Indexer. 

On forwarder /opt/splunkforwarder/etc/system/local/output.conf:

 

 

[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
disabled = false
server = my.domain.com:9998
disabled = 0
clientCert = /opt/splunk/etc/auth/mycerts/client.pem
useClientSSLCompression = true

[tcpout-server://my.domain.com:9998]

 

 

Certificate  has been created by Certbot and prepared according to the instructions.  Works well for Splunk Web and I believe it works here too.
On indexer 
/opt/splunk/etc/system/local/inputs.conf

 

 

[splunktcp-ssl:9998]
disabled=0

[SSL]
serverCert = /opt/splunk/etc/auth/mycerts/test_full.pem

 

test_full.pem - prepared certificate from Certbot.
If I use forwarder without certificates everything works fine so there is no connection errors.
Output of splunk list forward-server

 

Configured but inactive forwards:
	my.domain.com:9998

 

 

From  /var/log/splunk/splunkd.log I can see the following error:

 

05-22-2024 11:51:03.823 +0000 ERROR TcpOutputFd [29087 TcpOutEloop] - Read error. Connection reset by peer
05-22-2024 11:51:03.823 +0000 WARN  AutoLoadBalancedConnectionStrategy [29087 TcpOutEloop] - Applying quarantine to ip=99.99.99.99 port=9998 connid=2 _numberOfFailures=2

 

Could you please help me debug the problem?

 

Labels (4)
Tags (3)
0 Karma

gcusello
SplunkTrust
SplunkTrust
0 Karma

Haleb
Path Finder

Hi, @gcusello 
Yes, i did

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Haleb ,

it seems to be different that your: some options are missed.

Ciao.

Giuseppe

 

0 Karma

Haleb
Path Finder

@gcusello 
As i can see some of them are optional

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Haleb,

not all of them, e.g. password that must be the same both on Indexers and on Forwarders.

Follow the configuration in the url.

Ciao.

Giuseppe

0 Karma

Haleb
Path Finder

Can clearify about what password are you talking about? Link that you send to me have only sslPassword field that should be used only if i use password for my certificate.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Haleb,

exactly: use password for your certificate!

Ciao.

Giuseppe

0 Karma

Haleb
Path Finder

I tried to create a new certificate with password and still have the same error as previous:

Error encountered for connection from src=111.111.111.111:44922. error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...