Monitoring Splunk
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

SSL Letsencrypt for Splunk on Ubuntu

JosIJntema
Explorer
‎03-05-2017 12:29 PM

Hi there,

I have started my own Ubuntu 16.04 server and installed Splunk. This goes smoothly.

Also I have added a domain to the server and setup Let's Encrypt.

In the docs I find things about Splunk Web and SSL, but I cannot get this to work for my Splunk. For one, is that I do not have a web.conf.

How should I secure my Splunk environment? What is needed to do this the best way?

I will mainly user the HTTP Event Collector.

I am quite new to this, so any suggestions and help would be great.

Thanks.

Jos

Tags (1)
0 Karma
Reply

JosIJntema
Explorer
‎03-05-2017 10:33 PM

Hi mmdoestino,

Thanks for your response.

First the web.conf was not available. When I tried to set SSL in the General Settings tab, it created the web.conf. Then I followed the tutorial and now it works.

However, I do not get the HEC to work.

I see in http://docs.splunk.com/Documentation/Splunk/6.4.0/Admin/Inputsconf#.5Bhttp.5D the following new settings for the [http] stanza:

sslKeysfile
sslKeysfilePassword
caCertFile
caPath
serverCert
sslVersions

Which do I need to use when I am using the Let's Encrypt .pem files?

0 Karma
Reply

mattymo
Splunk Employee
Splunk Employee
‎03-05-2017 02:16 PM

Hey JoslJntema,

Have you see this blog on using letsencrypt for splunk web?

https://www.splunk.com/blog/2016/08/12/secure-splunk-web-in-five-minutes-using-lets-encrypt/

What version of Splunk are you working with? You will need to ensure you have the Full Splunk Enterprise instance installed, not the universal forwarder...

http://docs.splunk.com/Documentation/Splunk/6.5.2/Security/AboutsecuringyourSplunkconfigurationwithS...

You can also check out April 2016's talk from duckfez and starcher for a great overview:

https://wiki.splunk.com/Virtual_.conf

Once you have secured Splunk web, you can then move to HEC, which since 6.4 has it's own [http] stanza. in inputs.conf (it used to share splunkd's ssl config in server.conf)

https://www.splunk.com/blog/2016/05/03/splunk-6-4-using-cors-and-ssl-settings-with-http-event-collec...

http://docs.splunk.com/Documentation/Splunk/latest/Data/UsetheHTTPEventCollector

Anyways, I suggest starting with securing Splunkweb first with your certs, then moving to securing HEC

- MattyMo
0 Karma
Reply

mattymo
Splunk Employee
Splunk Employee
‎03-06-2017 10:49 AM

As for the HEC use of SSL, if you simply flip on SSL in the global options (aka enableSSL=1) it will use the settings from server.conf...which look like this on my machine. 

[splunker@n00bserver bin]$ ./splunk btool server list --debug

/home/splunker/splunk/etc/system/local/server.conf                                   [sslConfig]
/home/splunker/splunk/etc/system/default/server.conf                                 allowSslCompression = true
/home/splunker/splunk/etc/system/default/server.conf                                 allowSslRenegotiation = true
/home/splunker/splunk/etc/system/default/server.conf                                 caCertFile = $SPLUNK_HOME/etc/auth/cacert.pem
/home/splunker/splunk/etc/system/default/server.conf                                 caPath = $SPLUNK_HOME/etc/auth
/home/splunker/splunk/etc/system/default/server.conf                                 certCreateScript = $SPLUNK_HOME/bin/splunk, createssl, server-cert
/home/splunker/splunk/etc/system/default/server.conf                                 cipherSuite = TLSv1+HIGH:TLSv1.2+HIGH:@STRENGTH
/home/splunker/splunk/etc/system/default/server.conf                                 enableSplunkdSSL = true
/home/splunker/splunk/etc/system/default/server.conf                                 sendStrictTransportSecurityHeader = false
/home/splunker/splunk/etc/system/default/server.conf                                 serverCert = $SPLUNK_HOME/etc/auth/server.pem
/home/splunker/splunk/etc/system/local/server.conf                                   sslPassword = <REDACTED>
/home/splunker/splunk/etc/system/default/server.conf                                 sslVersions = *,-ssl2
/home/splunker/splunk/etc/system/default/server.conf                                 sslVersionsForClient = *,-ssl2
/home/splunker/splunk/etc/system/default/server.conf                                 useClientSSLCompression = true
/home/splunker/splunk/etc/system/default/server.conf                                 useSplunkdClientSSLCompression = true
/home/splunker/splunk/etc/system/default/server.conf

I would try throwing your certs in the auth dir and pointing to it from the inputs, similar to how the caCertFile and path & server cert are set above.

I will try and get my letsencrypt set up cookin and let you know, or will confirm with others much smarter than me 😉

- MattyMo
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...