Security

How to use default certificate ssl to encrypt data between Splunk Server and Universal Forwarder

dfigurello
Communicator

Hi Splunkers,

I am trying to encrypt my data in lab to learn this feature. I need apply this feature in my financial customer, who have critical data.
In this case, I am using default splunk certification to test, located in C:\Program Files\Splunk\etc\auth

|| Splunk Server Windows 127.0.0.1:9998 || <---DATA ENCRYPTED--- || Universal Forwarder Windows ||

Universal Forwarder Windows
C:\Program Files\SplunkUniversalForwarder\etc\system\local\outputs.conf
[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
compressed = true
requireClientCert = false
server = 127.0.0.1:9998
sslCertPath = C:\Program Files\Splunk\etc\auth\server.pem
sslPassword = password
sslRootCAPath = C:\Program Files\Splunk\etc\auth\cacert.pem

Splunk Server
C:\Program Files\Splunk\etc\apps\search\local\inputs.conf

[splunktcp-ssl:9998]
connection_host = ip
compressed = true

[SSL]
serverCert = C:\Program Files\Splunk\etc\auth\server.pem
rootCA = C:\Program Files\Splunk\etc\auth\cacert.pem
requireClientCert = false
password = password

When I did a search, I didn't see data in my Splunk.

Anyone have any idea ?

Cheers!

Tags (3)
1 Solution

MuS
Legend

Hi dfigurello,

Did you check splunkd.log for any SSL related errors? Did you do some SSL troubleshooting, if you need a hint on that follow this nice answer http://answers.splunk.com/answers/134053/ciphersuite-in-various-conf-files.

Regarding the not matching search: is it the correct index? the correct time range? Do you get anything back by using | tstats count where host=x or | metadata type=hosts ?

Hope this helps ...

cheers, MuS

View solution in original post

MuS
Legend

Hi dfigurello,

Did you check splunkd.log for any SSL related errors? Did you do some SSL troubleshooting, if you need a hint on that follow this nice answer http://answers.splunk.com/answers/134053/ciphersuite-in-various-conf-files.

Regarding the not matching search: is it the correct index? the correct time range? Do you get anything back by using | tstats count where host=x or | metadata type=hosts ?

Hope this helps ...

cheers, MuS

dfigurello
Communicator

Hi MuS,
I am sorry to answer too late. I did all configuration in ..\etc\system\local then I restarted splunk and Splunkforwarder. After that, my data was indexed.

I am very grateful.

MuS
Legend

is your inputs.conf really here: C:\Program Files\Splunk\etc\appssearch\local\inputs.conf ?

To set custom configurations, place an inputs.conf in $SPLUNK_HOME/etc/system/local/

dfigurello
Communicator

Hi MuS,

I ran a search:
index=_internal source="C:\Program Files\Splunk\var\log\splunk\splunkd.log" SSL then I found this error event:

8/26/14
9:00:09.613 AM

08-26-2014 09:00:09.613 -0300 INFO TcpInputConfig - SSL clause not found or servercert not provided - SSL ports will not be available
host = rpti002 source = C:\Program Files\Splunk\var\log\splunk\splunkd.log sourcetype = splunkd

8/26/14
9:00:07.644 AM

08-26-2014 09:00:07.644 -0300 INFO loader - Server supporting SSL v2/v3

tks.

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...