Security

Pushing self signed certificates to universal forwarders

Path Finder

Is there a Splunk recommended solution to pushing self signed SSL certificates to thousands of universal forwarders?

We tried bundling the certificates into an app and pushing it out to the universal forwarders. However, I believe that the default configurations set in /system/local/ on the universal forwarders will overwrite the configurations set within the app.

Is there a way around this or is there a better alternative solution?

0 Karma

Super Champion

If you have settings in etc/system/local of the UF, then it is almost impossible to override. This is why any enterprise installation should NOT have any items in etc/system/local
The only way is to use an external tool like puppet/ansible which can do the re-installation for you.

There is any tricky way to do this (but quite dangerous). The idea is to PUSH an app with python or shell script code, which can delete entries (or do stuff at OS level) an restart splunk. But this is NEVER recommended for enterprise level systems, as you won't have any control if it goes wrong.

Whatever you did is correct of putting all your TLS/self-signed certificates into an app and manage it centrally and make it part of deployment-server.

Path Finder

Hi koshyk,

How I understand SSL, the server.conf and outputs.conf both need to be modified with the correct configurations. Once we accept the license on a UF, a server.conf will automatically be generated. I'm trying to override the /system/local server.conf file that was automatically generated with the server.conf that I have defined in my application.

0 Karma

Super Champion

I can't find a way unfortunately other than with help of separate tool or doing the ugly solution as mentioned above

0 Karma

Path Finder

In your initial response, are you saying there should be absolutely no settings in /system/local? Not even server.conf? Isn't server.conf automatically generated when you install the universal forwarder and accept the license? Kind of confused here.

0 Karma

Super Champion

I meant to say, as splunk admins, we shouldn't put configurations in /system/local. anything which is auto-generated is Okish, as beyond our control.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!