Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Authenticated TCP Input?

pezcrap
Explorer
‎04-14-2014 05:35 PM

I have set up a TCP input and have noticed that it is completely open by default. (For example if I hit that port from a web browser, it interprets the HTTP request as an event to be ingested). I need to be able to prevent arbitrary garbage from being ingested.

I see in the docs that it is possible to lock down the import to specific hosts or IP addresses, but I need to be able to support data ingestion from anywhere. What I really need is some form of authentication on the input.

Is this possible with TCP inputs?

If not, I assume I would need to build my own authenticated TCP interface and then stream the data from that to Splunk. Is this a good approach? What is the best way to stream the data? Some sort of persistent queue?

Tags (2)
Reply

rdimri_splunk
Splunk Employee
Splunk Employee
‎08-19-2016 05:19 PM

So I think that there are couple of ways to address this.
1) If your fowarding system is non-splunk: By writing a small proxy. You could spawn a small multi threaded TCP server (in python for ease), and then have some form of authentication of forwarders, as a handshake step after connection is established. After handshake is done you can just blindly start forwarding data to the tcpinput port.
2) If you forwarding system is Splunk based: There is a mechanism of setting up shared secret keys between forwarding an receiving side. You can do this by https://docs.splunk.com/Documentation/Forwarder/6.4.2/Forwarder/Controlforwarderaccess#Configure_the...

0 Karma
Reply

LukeMurphey
Champion
‎04-14-2014 09:18 PM

What about using something like IPSEC between the hosts? Setting up an IPSEC policy on Windows is particularly simple. You can configure the policy such that it only allows communication on the given port if it is authenticated and secured.

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎04-17-2014 12:13 AM

Not quite sure about the regular SDK, however if you're already working in Java you should take a look at https://github.com/damiendallimore/SplunkJavaLogging for logging directly to Splunk. On top of logging via TCP that comes with an implementation of logging to the authenticated REST API.

0 Karma
Reply

pezcrap
Explorer
‎04-16-2014 07:29 PM

Hi martin - that streamed events receiver looks useful. Is this exposed via the Java SDK? (I can't seem to find it) or it it necessary to hit the REST API directly?

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎04-15-2014 01:20 AM

As an alternative to building your own authenticated TCP input you could use the existing Splunk REST API endpoints: http://docs.splunk.com/Documentation/Splunk/6.0.3/RESTAPI/RESTinput#receivers.2Fsimple for single events, http://docs.splunk.com/Documentation/Splunk/6.0.3/RESTAPI/RESTinput#receivers.2Fstream for streamed events.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...