Hey everyone.
First time SSL setup (IDX & UF both v8.x) and cert creation (never done before). Had a question about verifying if things worked. I walked through splunk docs and got to the point of verifying connection.
https://docs.splunk.com/Documentation/Splunk/8.0.2/Security/Validateyourconfiguration
On my IDX i can run:
index=_internal source=*metrics.log* group=tcpin_connections |
dedup hostname | table _time hostname version sourceIp destPort ssl
I do get expected result returned port (9998) and SSL = true.
BUT this was the only part of the instructions that i could follow to verify SSL items. I can't find anything else within Splunkd or index=_* referencing what is being mentioned in the validating procedures for the UF portion. I can see that the UF has the following output in splunkd "Connected to idx=10.202.20.229:9998". This UF is only setup to forward to the one server over port 9998.
The next steps i followed where on this page https://docs.splunk.com/Documentation/Splunk/8.0.2/Security/Troubleshootyouforwardertoindexerauthent...
openssl s_client -connect <server>:<port>
and the expected output mentioned Verify return code: 0 (ok) was instead returning code: 18 (self signed certificate).
Then on the UF i attempted to monitor a random log file that i update. On the main Splunk server i can see the data come in.
I'm just second guessing if i did things correctly given i wasn't able to validate internal Splunk logs.
UF
server.conf
[sslConfig]
sslRootCAPath = /opt/splunkforwarder/etc/auth/myCerts/myCACertificate.pem
sslPassword = <with pass here>
outputs.conf
[SSL]
[tcpout]
defaultGroup = group1
[tcpout:group1]
server = 10.202.20.229:9998
disabled = 0
clientCert = /opt/splunkforwarder/etc/auth/myCerts/myNewSplunkForwarderCert.pem
useClientSSLCompression = true
sslPassword = <with pass here>
IDX
inputs.conf
[splunktcp-ssl:9998]
disabled = 0
[SSL]
serverCert = /opt/splunk/etc/auth/myCerts/myNewSplunkIndexerCert.pem
sslPassword = <with pass here>
requireClientCert = "true"
server.conf
[sslConfig]
sslRootCAPath = /opt/splunk/etc/auth/myCerts/myCACertificate.pem
sslPassword = <with pass here>