Security

SSL for third-party forwarding?

jhigginsmq
Path Finder

Hi. We are looking at the possibility of forwarding data from a Splunk indexer (with "indexAndForward") to a third-party system using SSL. As it's a non-Splunk receiving system we need to use "sendCookedData = false" in outputs.conf. I'm aware of the SSL settings in outputs.conf but all documentation I've seen only describes these settings in the context of a Splunk indexer on the receiving end, with corresponding settings in inputs.conf.

Is it possible to use the SSL settings in the outputs.conf of the forwarding system with a non-Splunk receiver? My knowledge of SSL and the receiving system is limited but presumably some configuration of the receiver would be required to accept this.

0 Karma
1 Solution

jkat54
SplunkTrust
SplunkTrust

indexAndForward is for heavy forwarders only. It will not work on indexers. Let me know if that's an option for you, if so I can elaborate on the SSL questions.

View solution in original post

0 Karma

jkat54
SplunkTrust
SplunkTrust

indexAndForward is for heavy forwarders only. It will not work on indexers. Let me know if that's an option for you, if so I can elaborate on the SSL questions.

0 Karma

jhigginsmq
Path Finder

Ok I can see it says "This attribute is only available for heavy forwarders" under indexAndForward in the outputs.conf.spec, I assumed this meant only as opposed to universal forwarders. Isn't a 'heavy forwarder that indexes', really just an 'indexer that forwards'?

Either way I am keen to hear your SSL thoughts, thanks.

0 Karma

jkat54
SplunkTrust
SplunkTrust
SSL should work just fine sending to other servers and ports.  SSL Verification will work too.  You've got to create your own pem

openssl genrsa -aes256 -out splunkforwarders.yourdomain.com.key 2048
openssl req -new -key splunkforwarders.yourdomain.com.key -out splunkforwarders.yourdomain.com.csr
openssl x509 -req -in splunkforwarders.yourdomain.com.csr -sha1 -signkey splunkforwarders.yourdomain.com.key -CAcreateserial -out splunkforwarders.yourdomain.com.crt -days 365


cat splunkforwarders.yourdomain.com.crt splunkforwarders.yourdomain.com.key rootca.crt subca1.crt subca2.crt > splunkforwarders.pem

inputs.conf:
[your_stanza]
_INDEX_AND_FORWARD_ROUTING  = ssl_forwarding

outputs.conf:
[tcpout]
defaultGroup = indexers
indexAndForward = true

[tcpout:ssl_forwarding]
sendCookedData = false
server = {some_host}:{port}
clientCert = $SPLUNK_HOME/etc/myauth/splunkforwarders.pem
sslPassword ={password}
sslRootCAPath = $SPLUNK_HOME/etc/myauth/rootca.crt
sslVerifyServerCert = true
sslCommonNameToCheck = {some_host}

[tcpout:indexers]
server = {some_indexer_1}:{port}, {some_indexer_2}:{port}
0 Karma

jhigginsmq
Path Finder

Ok great, think I need to read up on the SSL settings a bit more but good to know it can be done and the example look useful, thanks.

0 Karma
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...