Am I missing any configurations with Splunk forwar...

SS1 · ‎02-08-2022

Hi,

I have configured my windows forwarder to use the custom CA and Server certificate. Below is the configuration and the forwarder is able to connect to indexer fine.

File: C:\Program Files\SplunkUniversalForwarder\etc\system\local\outputs.conf

[tcpout]

defaultGroup = default-autolb-group

[tcpout:default-autolb-group]

server = XXX:9998

clientCert = C:\Program Files\SplunkUniversalForwarder\etc\auth\mycerts\testCertificate.pem

sslPassword = XXX

useClientSSLCompression = true

sslRootCAPath = C:\Program Files\SplunkUniversalForwarder\etc\auth\mycerts\myCAcertificate.pem

[tcpout-server://XXX:9998]

But still in the splunkd.log file i am seeing below message,

X509Verify [14596 HTTPDispatch] - X509 certificate (O=SplunkUser,CN=SplunkServerDefaultCert) should not be used, as it is issued by Splunk's own default Certificate Authority (CA). This puts your Splunk instance at very high-risk of the MITM attack. Either commercial-CA-signed or self-CA-signed certificates must be used; see: http://docs.splunk.com/Documentation/Splunk/latest/Security/Howtoself-signcertificates

Any idea if I am missing any configs here?

PickleRick · ‎02-08-2022

Are you sure it's not related to another part of config?

To be on the safe side I'd do a tcpdump/wireshark dump and see which certs are really used on the wire.

Am I missing any configurations with Splunk forwarder SSL custom certificates?

encryption

other

SSL

Archived Metrics Now Available for APAC and EMEA realms

Detecting Remote Code Executions With the Splunk Threat Research Team

Enter the Dashboard Challenge and Watch the .conf24 Global Broadcast!