Security

How to use default certificate ssl to encrypt data between Splunk Server and Universal Forwarder

Communicator

Hi Splunkers,

I am trying to encrypt my data in lab to learn this feature. I need apply this feature in my financial customer, who have critical data.
In this case, I am using default splunk certification to test, located in C:\Program Files\Splunk\etc\auth

|| Splunk Server Windows 127.0.0.1:9998 || <---DATA ENCRYPTED--- || Universal Forwarder Windows ||

Universal Forwarder Windows
C:\Program Files\SplunkUniversalForwarder\etc\system\local\outputs.conf
[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
compressed = true
requireClientCert = false
server = 127.0.0.1:9998
sslCertPath = C:\Program Files\Splunk\etc\auth\server.pem
sslPassword = password
sslRootCAPath = C:\Program Files\Splunk\etc\auth\cacert.pem

Splunk Server
C:\Program Files\Splunk\etc\apps\search\local\inputs.conf

[splunktcp-ssl:9998]
connection_host = ip
compressed = true

[SSL]
serverCert = C:\Program Files\Splunk\etc\auth\server.pem
rootCA = C:\Program Files\Splunk\etc\auth\cacert.pem
requireClientCert = false
password = password

When I did a search, I didn't see data in my Splunk.

Anyone have any idea ?

Cheers!

Tags (3)
1 Solution

SplunkTrust
SplunkTrust

Hi dfigurello,

Did you check splunkd.log for any SSL related errors? Did you do some SSL troubleshooting, if you need a hint on that follow this nice answer http://answers.splunk.com/answers/134053/ciphersuite-in-various-conf-files.

Regarding the not matching search: is it the correct index? the correct time range? Do you get anything back by using | tstats count where host=x or | metadata type=hosts ?

Hope this helps ...

cheers, MuS

View solution in original post

SplunkTrust
SplunkTrust

Hi dfigurello,

Did you check splunkd.log for any SSL related errors? Did you do some SSL troubleshooting, if you need a hint on that follow this nice answer http://answers.splunk.com/answers/134053/ciphersuite-in-various-conf-files.

Regarding the not matching search: is it the correct index? the correct time range? Do you get anything back by using | tstats count where host=x or | metadata type=hosts ?

Hope this helps ...

cheers, MuS

View solution in original post

Communicator

Hi MuS,
I am sorry to answer too late. I did all configuration in ..\etc\system\local then I restarted splunk and Splunkforwarder. After that, my data was indexed.

I am very grateful.

SplunkTrust
SplunkTrust

is your inputs.conf really here: C:\Program Files\Splunk\etc\appssearch\local\inputs.conf ?

To set custom configurations, place an inputs.conf in $SPLUNK_HOME/etc/system/local/

Communicator

Hi MuS,

I ran a search:
index=_internal source="C:\Program Files\Splunk\var\log\splunk\splunkd.log" SSL then I found this error event:

8/26/14
9:00:09.613 AM

08-26-2014 09:00:09.613 -0300 INFO TcpInputConfig - SSL clause not found or servercert not provided - SSL ports will not be available
host = rpti002 source = C:\Program Files\Splunk\var\log\splunk\splunkd.log sourcetype = splunkd

8/26/14
9:00:07.644 AM

08-26-2014 09:00:07.644 -0300 INFO loader - Server supporting SSL v2/v3

tks.

0 Karma