I see the below warnings in the splunkd.log files on all my Splunk instances.
Could you please advise on how to resolve these? or can we ignore them?
WARN X509Verify - X509 certificate (O=SplunkUser,CN=SplunkServerDefaultCert) should not be used, as it is issued by Splunk's own default Certificate Authority (CA). This puts your Splunk instance at very high-risk of the MITM attack. Either commercial-CA-signed or self-CA-signed certificates must be used; see:
As mentioned in the warning itself, default certificates are not considered highly secure. Anyone who has downloaded Splunk Enterprise has server certificates signed by the same root certificate and are able to authenticate to your certificates. To ensure that no one can easily snoop on your traffic or wrongfully send data to your indexers, SPLUNK recommend that you replace them with signed certificates.
You can either use a self signed certificate as mentioned in https://docs.splunk.com/Documentation/Splunk/7.1.2/Security/Howtoself-signcertificates
Use a third party certificate : https://docs.splunk.com/Documentation/Splunk/7.1.2/Security/Howtogetthird-partycertificates
The decision is purely based on your Organizational requirements. Normally self signed certificates are used in test/dev environment and external certificates are used in PROD. However, as mentioned , its purely depends on your data/environment security requirements and also the network zone you have set up your splunk infra. If it's exposed to "outside" world, it's always advised to use a proper certificate.
We have a single splunk instance running, doing the job of both search head and indexer. On it i can't see any such warnings. No self signed or third party certificate is placed on it apart from splunk default ones.
One the new set up where we have separate servers for search head and indexer, I am getting this warning in logs.
The warnings should come on both, if default ones are not trust worthy.
@zeespl, the certificates are being used when there is a connection from server A to Server B. If you have a standalone host, then there might not be any incoming/outgoing traffic. On the other hand when the search heads and indexers are on different machine, then it require connection between different machines and hence the warning. Hope that helps!
@renjith.nair , In standalone set up also there is incoming/outgoing traffic from forwarders. Does this not require certificate?
Or is it just for internal communication between search head and indexers.
Here is a summary of SSL traffic : http://docs.splunk.com/Documentation/Splunk/7.1.3/Security/AboutsecuringyourSplunkconfigurationwithS...
To check your traffic between forwarder and indexer : Check if the following configurations are set.
I can't find anything in inputs.conf file.
Would you mind sharing the exact steps to create, place and configure certificates in my set up. one search head and 2 indexers.
How can i procure third party signed certificates and how many of these required and of what type?