Am I missing any configurations with Splunk forwar...

SS1 · ‎02-08-2022

Hi,

I have configured my windows forwarder to use the custom CA and Server certificate. Below is the configuration and the forwarder is able to connect to indexer fine.

File: C:\Program Files\SplunkUniversalForwarder\etc\system\local\outputs.conf

[tcpout]

defaultGroup = default-autolb-group

[tcpout:default-autolb-group]

server = XXX:9998

clientCert = C:\Program Files\SplunkUniversalForwarder\etc\auth\mycerts\testCertificate.pem

sslPassword = XXX

useClientSSLCompression = true

sslRootCAPath = C:\Program Files\SplunkUniversalForwarder\etc\auth\mycerts\myCAcertificate.pem

[tcpout-server://XXX:9998]

But still in the splunkd.log file i am seeing below message,

X509Verify [14596 HTTPDispatch] - X509 certificate (O=SplunkUser,CN=SplunkServerDefaultCert) should not be used, as it is issued by Splunk's own default Certificate Authority (CA). This puts your Splunk instance at very high-risk of the MITM attack. Either commercial-CA-signed or self-CA-signed certificates must be used; see: http://docs.splunk.com/Documentation/Splunk/latest/Security/Howtoself-signcertificates

Any idea if I am missing any configs here?

PickleRick · ‎02-08-2022

Are you sure it's not related to another part of config?

To be on the safe side I'd do a tcpdump/wireshark dump and see which certs are really used on the wire.

Am I missing any configurations with Splunk forwarder SSL custom certificates?

encryption

Other

SSL

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

Logs to Metrics

Developer Spotlight with Paul Stout