Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

SSL for third-party forwarding?

jhigginsmq
Path Finder
‎03-10-2017 06:37 AM

Hi. We are looking at the possibility of forwarding data from a Splunk indexer (with "indexAndForward") to a third-party system using SSL. As it's a non-Splunk receiving system we need to use "sendCookedData = false" in outputs.conf. I'm aware of the SSL settings in outputs.conf but all documentation I've seen only describes these settings in the context of a Splunk indexer on the receiving end, with corresponding settings in inputs.conf.

Is it possible to use the SSL settings in the outputs.conf of the forwarding system with a non-Splunk receiver? My knowledge of SSL and the receiving system is limited but presumably some configuration of the receiver would be required to accept this.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jkat54
SplunkTrust
SplunkTrust
‎03-10-2017 06:51 AM

indexAndForward is for heavy forwarders only. It will not work on indexers. Let me know if that's an option for you, if so I can elaborate on the SSL questions.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

jkat54
SplunkTrust
SplunkTrust
‎03-10-2017 06:51 AM

indexAndForward is for heavy forwarders only. It will not work on indexers. Let me know if that's an option for you, if so I can elaborate on the SSL questions.

0 Karma
Reply
Solved! Jump to solution

jhigginsmq
Path Finder
‎03-10-2017 07:11 AM

Ok I can see it says "This attribute is only available for heavy forwarders" under indexAndForward in the outputs.conf.spec, I assumed this meant only as opposed to universal forwarders. Isn't a 'heavy forwarder that indexes', really just an 'indexer that forwards'?

Either way I am keen to hear your SSL thoughts, thanks.

0 Karma
Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎03-10-2017 08:55 AM 
SSL should work just fine sending to other servers and ports.  SSL Verification will work too.  You've got to create your own pem

openssl genrsa -aes256 -out splunkforwarders.yourdomain.com.key 2048
openssl req -new -key splunkforwarders.yourdomain.com.key -out splunkforwarders.yourdomain.com.csr
openssl x509 -req -in splunkforwarders.yourdomain.com.csr -sha1 -signkey splunkforwarders.yourdomain.com.key -CAcreateserial -out splunkforwarders.yourdomain.com.crt -days 365


cat splunkforwarders.yourdomain.com.crt splunkforwarders.yourdomain.com.key rootca.crt subca1.crt subca2.crt > splunkforwarders.pem

inputs.conf:
[your_stanza]
_INDEX_AND_FORWARD_ROUTING  = ssl_forwarding

outputs.conf:
[tcpout]
defaultGroup = indexers
indexAndForward = true

[tcpout:ssl_forwarding]
sendCookedData = false
server = {some_host}:{port}
clientCert = $SPLUNK_HOME/etc/myauth/splunkforwarders.pem
sslPassword ={password}
sslRootCAPath = $SPLUNK_HOME/etc/myauth/rootca.crt
sslVerifyServerCert = true
sslCommonNameToCheck = {some_host}

[tcpout:indexers]
server = {some_indexer_1}:{port}, {some_indexer_2}:{port}
0 Karma
Reply
Solved! Jump to solution

jhigginsmq
Path Finder
‎03-10-2017 12:58 PM

Ok great, think I need to read up on the SSL settings a bit more but good to know it can be done and the example look useful, thanks.

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...