Security

TCP Data Input and SSL

tskubisz
Engager

Hi there.

I trying to configure Splunk to receiving data from TCP port 514.

I using default Splunk certificates witch are generated in /opt/splunk/etc/auth

I configured inputs.conf :

[tcp-ssl:514]
sourcetype = syslog

[SSL]

rootCA = /opt/splunk/etc/auth/cacert.pem
serverCert = /opt/splunk/etc/auth/server.pem

On my network device I configured to send syslog to my Splunk server address via Tcp port 514 and import cacert.pem

After that i can't explore logs via this device but logos are hashed.

What I am doing wrong?

0 Karma
1 Solution

anmolpatel
Builder

You would need the certificate on the syslog server
I would update the app structure to the below so you can push the config to multiple endpoints via the deployment server

base_app_name EG: org_environment_type_base_app
-- auth
---- serverCert.pem
---- rootCACert.pem
-- defaults OR local
---- inputs.conf
---- server.conf
---- outputs.conf

Your inputs.conf should contain

[SSL]
serverCert = SPLUNK_HOME/etc/apps/*base_app_name*/auth/*file_name*.pem
sslPassword = #encryptedPassword
sslVersion = # version ### optional
requiredClientCert = # boolean

your server.conf should contain

[sslConfig]
serverCert = SPLUNK_HOME/etc/apps/*base_app_name*/auth/*file_name*.pem 
sslRootCAPath= SPLUNK_HOME/etc/apps/*base_app_name*/auth/*file_name*.pem ### note rootCA is depreciated 
sslPassword = #password

[deployment]
pass4SymmKey = #password

You also need an outputs.conf

[tcpout]
sslPassword = #password
clientCert = SPLUNK_HOME/etc/apps/*base_app_name*/auth/*file_name*.pem 
sslVersion = # version ### optional

Hope this helps

View solution in original post

0 Karma

anmolpatel
Builder

You would need the certificate on the syslog server
I would update the app structure to the below so you can push the config to multiple endpoints via the deployment server

base_app_name EG: org_environment_type_base_app
-- auth
---- serverCert.pem
---- rootCACert.pem
-- defaults OR local
---- inputs.conf
---- server.conf
---- outputs.conf

Your inputs.conf should contain

[SSL]
serverCert = SPLUNK_HOME/etc/apps/*base_app_name*/auth/*file_name*.pem
sslPassword = #encryptedPassword
sslVersion = # version ### optional
requiredClientCert = # boolean

your server.conf should contain

[sslConfig]
serverCert = SPLUNK_HOME/etc/apps/*base_app_name*/auth/*file_name*.pem 
sslRootCAPath= SPLUNK_HOME/etc/apps/*base_app_name*/auth/*file_name*.pem ### note rootCA is depreciated 
sslPassword = #password

[deployment]
pass4SymmKey = #password

You also need an outputs.conf

[tcpout]
sslPassword = #password
clientCert = SPLUNK_HOME/etc/apps/*base_app_name*/auth/*file_name*.pem 
sslVersion = # version ### optional

Hope this helps

0 Karma

tskubisz
Engager

Thank you for help.
I not sure did I correct understand this steps.
Is that mean that I need to generate new certificate for client and upload this on Device from syslog is sending? (Synology NAS in my case)
Also can't find what is default password. I don't created any password for SSL.

0 Karma

anmolpatel
Builder

@tskubisz This will give you a walkthrough on how to generate it all for Splunk
https://docs.splunk.com/Documentation/Splunk/8.0.2/Security/Howtoself-signcertificates

Yes, the certificate needs to be on the Device sending the syslog, go through this document for a thorough walkthrough
https://docs.splunk.com/Documentation/Splunk/8.0.2/Security/ConfigureSplunkforwardingtousesignedcert...

Validation step:
https://docs.splunk.com/Documentation/Splunk/8.0.2/Security/Validateyourconfiguration

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...