Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Authenticated TCP Input?

pezcrap
Explorer
‎04-14-2014 05:35 PM

I have set up a TCP input and have noticed that it is completely open by default. (For example if I hit that port from a web browser, it interprets the HTTP request as an event to be ingested). I need to be able to prevent arbitrary garbage from being ingested.

I see in the docs that it is possible to lock down the import to specific hosts or IP addresses, but I need to be able to support data ingestion from anywhere. What I really need is some form of authentication on the input.

Is this possible with TCP inputs?

If not, I assume I would need to build my own authenticated TCP interface and then stream the data from that to Splunk. Is this a good approach? What is the best way to stream the data? Some sort of persistent queue?

Tags (2)
Reply

rdimri_splunk
Splunk Employee
Splunk Employee
‎08-19-2016 05:19 PM

So I think that there are couple of ways to address this.
1) If your fowarding system is non-splunk: By writing a small proxy. You could spawn a small multi threaded TCP server (in python for ease), and then have some form of authentication of forwarders, as a handshake step after connection is established. After handshake is done you can just blindly start forwarding data to the tcpinput port.
2) If you forwarding system is Splunk based: There is a mechanism of setting up shared secret keys between forwarding an receiving side. You can do this by https://docs.splunk.com/Documentation/Forwarder/6.4.2/Forwarder/Controlforwarderaccess#Configure_the...

0 Karma
Reply

LukeMurphey
Champion
‎04-14-2014 09:18 PM

What about using something like IPSEC between the hosts? Setting up an IPSEC policy on Windows is particularly simple. You can configure the policy such that it only allows communication on the given port if it is authenticated and secured.

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎04-17-2014 12:13 AM

Not quite sure about the regular SDK, however if you're already working in Java you should take a look at https://github.com/damiendallimore/SplunkJavaLogging for logging directly to Splunk. On top of logging via TCP that comes with an implementation of logging to the authenticated REST API.

0 Karma
Reply

pezcrap
Explorer
‎04-16-2014 07:29 PM

Hi martin - that streamed events receiver looks useful. Is this exposed via the Java SDK? (I can't seem to find it) or it it necessary to hit the REST API directly?

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎04-15-2014 01:20 AM

As an alternative to building your own authenticated TCP input you could use the existing Splunk REST API endpoints: http://docs.splunk.com/Documentation/Splunk/6.0.3/RESTAPI/RESTinput#receivers.2Fsimple for single events, http://docs.splunk.com/Documentation/Splunk/6.0.3/RESTAPI/RESTinput#receivers.2Fstream for streamed events.

Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...