Security

Authenticated TCP Input?

pezcrap
Explorer

I have set up a TCP input and have noticed that it is completely open by default. (For example if I hit that port from a web browser, it interprets the HTTP request as an event to be ingested). I need to be able to prevent arbitrary garbage from being ingested.

I see in the docs that it is possible to lock down the import to specific hosts or IP addresses, but I need to be able to support data ingestion from anywhere. What I really need is some form of authentication on the input.

Is this possible with TCP inputs?

If not, I assume I would need to build my own authenticated TCP interface and then stream the data from that to Splunk. Is this a good approach? What is the best way to stream the data? Some sort of persistent queue?

Tags (2)

rdimri_splunk
Splunk Employee
Splunk Employee

So I think that there are couple of ways to address this.
1) If your fowarding system is non-splunk: By writing a small proxy. You could spawn a small multi threaded TCP server (in python for ease), and then have some form of authentication of forwarders, as a handshake step after connection is established. After handshake is done you can just blindly start forwarding data to the tcpinput port.
2) If you forwarding system is Splunk based: There is a mechanism of setting up shared secret keys between forwarding an receiving side. You can do this by https://docs.splunk.com/Documentation/Forwarder/6.4.2/Forwarder/Controlforwarderaccess#Configure_the...

0 Karma

LukeMurphey
Champion

What about using something like IPSEC between the hosts? Setting up an IPSEC policy on Windows is particularly simple. You can configure the policy such that it only allows communication on the given port if it is authenticated and secured.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Not quite sure about the regular SDK, however if you're already working in Java you should take a look at https://github.com/damiendallimore/SplunkJavaLogging for logging directly to Splunk. On top of logging via TCP that comes with an implementation of logging to the authenticated REST API.

0 Karma

pezcrap
Explorer

Hi martin - that streamed events receiver looks useful. Is this exposed via the Java SDK? (I can't seem to find it) or it it necessary to hit the REST API directly?

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

As an alternative to building your own authenticated TCP input you could use the existing Splunk REST API endpoints: http://docs.splunk.com/Documentation/Splunk/6.0.3/RESTAPI/RESTinput#receivers.2Fsimple for single events, http://docs.splunk.com/Documentation/Splunk/6.0.3/RESTAPI/RESTinput#receivers.2Fstream for streamed events.

Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...