Security

SSL for third-party forwarding?

jhigginsmq
Path Finder

Hi. We are looking at the possibility of forwarding data from a Splunk indexer (with "indexAndForward") to a third-party system using SSL. As it's a non-Splunk receiving system we need to use "sendCookedData = false" in outputs.conf. I'm aware of the SSL settings in outputs.conf but all documentation I've seen only describes these settings in the context of a Splunk indexer on the receiving end, with corresponding settings in inputs.conf.

Is it possible to use the SSL settings in the outputs.conf of the forwarding system with a non-Splunk receiver? My knowledge of SSL and the receiving system is limited but presumably some configuration of the receiver would be required to accept this.

0 Karma
1 Solution

jkat54
SplunkTrust
SplunkTrust

indexAndForward is for heavy forwarders only. It will not work on indexers. Let me know if that's an option for you, if so I can elaborate on the SSL questions.

View solution in original post

0 Karma

jkat54
SplunkTrust
SplunkTrust

indexAndForward is for heavy forwarders only. It will not work on indexers. Let me know if that's an option for you, if so I can elaborate on the SSL questions.

View solution in original post

0 Karma

jhigginsmq
Path Finder

Ok I can see it says "This attribute is only available for heavy forwarders" under indexAndForward in the outputs.conf.spec, I assumed this meant only as opposed to universal forwarders. Isn't a 'heavy forwarder that indexes', really just an 'indexer that forwards'?

Either way I am keen to hear your SSL thoughts, thanks.

0 Karma

jkat54
SplunkTrust
SplunkTrust
SSL should work just fine sending to other servers and ports.  SSL Verification will work too.  You've got to create your own pem

openssl genrsa -aes256 -out splunkforwarders.yourdomain.com.key 2048
openssl req -new -key splunkforwarders.yourdomain.com.key -out splunkforwarders.yourdomain.com.csr
openssl x509 -req -in splunkforwarders.yourdomain.com.csr -sha1 -signkey splunkforwarders.yourdomain.com.key -CAcreateserial -out splunkforwarders.yourdomain.com.crt -days 365


cat splunkforwarders.yourdomain.com.crt splunkforwarders.yourdomain.com.key rootca.crt subca1.crt subca2.crt > splunkforwarders.pem

inputs.conf:
[your_stanza]
_INDEX_AND_FORWARD_ROUTING  = ssl_forwarding

outputs.conf:
[tcpout]
defaultGroup = indexers
indexAndForward = true

[tcpout:ssl_forwarding]
sendCookedData = false
server = {some_host}:{port}
clientCert = $SPLUNK_HOME/etc/myauth/splunkforwarders.pem
sslPassword ={password}
sslRootCAPath = $SPLUNK_HOME/etc/myauth/rootca.crt
sslVerifyServerCert = true
sslCommonNameToCheck = {some_host}

[tcpout:indexers]
server = {some_indexer_1}:{port}, {some_indexer_2}:{port}
0 Karma

jhigginsmq
Path Finder

Ok great, think I need to read up on the SSL settings a bit more but good to know it can be done and the example look useful, thanks.

0 Karma