Security
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Security
- :
- Re: How to use default certificate ssl to encrypt ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dfigurello
Communicator
08-25-2014
08:54 PM
Hi Splunkers,
I am trying to encrypt my data in lab to learn this feature. I need apply this feature in my financial customer, who have critical data.
In this case, I am using default splunk certification to test, located in C:\Program Files\Splunk\etc\auth
|| Splunk Server Windows 127.0.0.1:9998 || <---DATA ENCRYPTED--- || Universal Forwarder Windows ||
Universal Forwarder Windows
C:\Program Files\SplunkUniversalForwarder\etc\system\local\outputs.conf
[tcpout]
defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
compressed = true
requireClientCert = false
server = 127.0.0.1:9998
sslCertPath = C:\Program Files\Splunk\etc\auth\server.pem
sslPassword = password
sslRootCAPath = C:\Program Files\Splunk\etc\auth\cacert.pem
Splunk Server
C:\Program Files\Splunk\etc\apps\search\local\inputs.conf
[splunktcp-ssl:9998]
connection_host = ip
compressed = true
[SSL]
serverCert = C:\Program Files\Splunk\etc\auth\server.pem
rootCA = C:\Program Files\Splunk\etc\auth\cacert.pem
requireClientCert = false
password = password
When I did a search, I didn't see data in my Splunk.
Anyone have any idea ?
Cheers!
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
MuS
Legend
08-25-2014
11:23 PM
Hi dfigurello,
Did you check splunkd.log for any SSL related errors? Did you do some SSL troubleshooting, if you need a hint on that follow this nice answer http://answers.splunk.com/answers/134053/ciphersuite-in-various-conf-files.
Regarding the not matching search: is it the correct index? the correct time range? Do you get anything back by using | tstats count where host=x or | metadata type=hosts ?
Hope this helps ...
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
MuS
Legend
08-25-2014
11:23 PM
Hi dfigurello,
Did you check splunkd.log for any SSL related errors? Did you do some SSL troubleshooting, if you need a hint on that follow this nice answer http://answers.splunk.com/answers/134053/ciphersuite-in-various-conf-files.
Regarding the not matching search: is it the correct index? the correct time range? Do you get anything back by using | tstats count where host=x or | metadata type=hosts ?
Hope this helps ...
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dfigurello
Communicator
08-28-2014
07:48 PM
Hi MuS,
I am sorry to answer too late. I did all configuration in ..\etc\system\local then I restarted splunk and Splunkforwarder. After that, my data was indexed.
I am very grateful.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
MuS
Legend
08-27-2014
12:12 AM
is your inputs.conf really here: C:\Program Files\Splunk\etc\appssearch\local\inputs.conf ?
To set custom configurations, place an inputs.conf in $SPLUNK_HOME/etc/system/local/
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
dfigurello
Communicator
08-26-2014
05:05 AM
Hi MuS,
I ran a search:
index=_internal source="C:\Program Files\Splunk\var\log\splunk\splunkd.log" SSL then I found this error event:
8/26/14
9:00:09.613 AM
08-26-2014 09:00:09.613 -0300 INFO TcpInputConfig - SSL clause not found or servercert not provided - SSL ports will not be available
host = rpti002 source = C:\Program Files\Splunk\var\log\splunk\splunkd.log sourcetype = splunkd
8/26/14
9:00:07.644 AM
08-26-2014 09:00:07.644 -0300 INFO loader - Server supporting SSL v2/v3
tks.
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Get Updates on the Splunk Community!
Tech Talk Recap | Mastering Threat Hunting
Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...
Observability for AI Applications: Troubleshooting Latency
If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...
Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?
In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...
