Redundant forwarders and SSL

Path Finder

My understanding was that the best practice for creating redundancy for the forwarders is to create two forwarders and use DNS round robin load balancing to have clients load balance between the two or failover to the active one during an outage.

What's the best practice for protecting forwarding using SSL in the scenario above? If I create listeners on those intermediate forwarders, should I have each one use the same CN and cert? My understanding is that if I have two hosts defined in the outputs.conf, it sends one copy of each event to both servers, thus doubling my license consumption and requiring a dedup for all searches.

But if they do use the same cert and CN, which fields have to match in the config files? The inputs.conf and the server.conf file?



Tags (1)
0 Karma

Splunk Employee
Splunk Employee

I take it you're making the intermediate forwarders redundant, and that they receive SSL from a set of other forwarders. If you are doing this, you can either specify the redundant intermediates using DNS aliases (not round-robin load-balancing) or you can list each one separately in outputs.conf, not both (since if you use DNS, they will have the same name in outputs.conf).

Regardless of what you do, the rule for SSL (assuming you're validating the server name on the SSL cert, which nevertheless is not required to be configured that way in Splunk) is that the certificate name must match the name by which the client accesses the server. Therefore, if you use DNS aliases, both intermediate forwarders must have the DNS name (the DNS name). If you reference them separately, they must each have the respective name used in outputs.conf.

0 Karma

Path Finder

I'm not totally clear... If I use the first method, I have one entry for each intermediate forwarder in the outputs.conf file and each one would have a cert that matches that name.

Or I can use a single entry in outputs.conf and use DNS round-robin to send the traffic to the intermediate forwarders. Both intermediate forwarders would have to have identical hostnames and server names within Splunk config files that matches the CN on the cert?

Do I have that right?

0 Karma
Get Updates on the Splunk Community!

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...

DevSecOps: Why You Should Care and How To Get Started

 WATCH NOW In this Tech Talk we will talk about what people mean by DevSecOps and deep dive into the different ...