Security

Additional SSL Verification

v_trilo
New Member

Hey everyone.
First time SSL setup (IDX & UF both v8.x) and cert creation (never done before). Had a question about verifying if things worked. I walked through splunk docs and got to the point of verifying connection.

https://docs.splunk.com/Documentation/Splunk/8.0.2/Security/Validateyourconfiguration

On my IDX i can run:

index=_internal source=*metrics.log* group=tcpin_connections | 
dedup hostname | table _time hostname version sourceIp destPort ssl

I do get expected result returned port (9998) and SSL = true.
BUT this was the only part of the instructions that i could follow to verify SSL items. I can't find anything else within Splunkd or index=_* referencing what is being mentioned in the validating procedures for the UF portion. I can see that the UF has the following output in splunkd "Connected to idx=10.202.20.229:9998". This UF is only setup to forward to the one server over port 9998.

The next steps i followed where on this page https://docs.splunk.com/Documentation/Splunk/8.0.2/Security/Troubleshootyouforwardertoindexerauthent...

openssl s_client -connect <server>:<port>

and the expected output mentioned Verify return code: 0 (ok) was instead returning code: 18 (self signed certificate).
Then on the UF i attempted to monitor a random log file that i update. On the main Splunk server i can see the data come in.
I'm just second guessing if i did things correctly given i wasn't able to validate internal Splunk logs.

UF

server.conf 
 [sslConfig]
 sslRootCAPath = /opt/splunkforwarder/etc/auth/myCerts/myCACertificate.pem
 sslPassword = <with pass here>
outputs.conf 
 [SSL]
 [tcpout]
defaultGroup = group1
 [tcpout:group1]
 server = 10.202.20.229:9998
 disabled = 0
 clientCert = /opt/splunkforwarder/etc/auth/myCerts/myNewSplunkForwarderCert.pem
useClientSSLCompression = true
sslPassword = <with pass here>

IDX

inputs.conf
 [splunktcp-ssl:9998]
disabled = 0
[SSL]
serverCert = /opt/splunk/etc/auth/myCerts/myNewSplunkIndexerCert.pem
sslPassword = <with pass here>
requireClientCert = "true"
server.conf
 [sslConfig]
 sslRootCAPath = /opt/splunk/etc/auth/myCerts/myCACertificate.pem
 sslPassword = <with pass here>
Labels (2)
Tags (2)
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...