Solved: TCP Data Input and SSL

tskubisz · ‎02-26-2020

Hi there.

I trying to configure Splunk to receiving data from TCP port 514.

I using default Splunk certificates witch are generated in /opt/splunk/etc/auth

I configured inputs.conf :

[tcp-ssl:514]
sourcetype = syslog

[SSL]

rootCA = /opt/splunk/etc/auth/cacert.pem
serverCert = /opt/splunk/etc/auth/server.pem

On my network device I configured to send syslog to my Splunk server address via Tcp port 514 and import cacert.pem

After that i can't explore logs via this device but logos are hashed.

What I am doing wrong?

anmolpatel · ‎02-26-2020

You would need the certificate on the syslog server
I would update the app structure to the below so you can push the config to multiple endpoints via the deployment server

base_app_name EG: org_environment_type_base_app
-- auth
---- serverCert.pem
---- rootCACert.pem
-- defaults OR local
---- inputs.conf
---- server.conf
---- outputs.conf

Your inputs.conf should contain

[SSL]
serverCert = SPLUNK_HOME/etc/apps/*base_app_name*/auth/*file_name*.pem
sslPassword = #encryptedPassword
sslVersion = # version ### optional
requiredClientCert = # boolean

your server.conf should contain

[sslConfig]
serverCert = SPLUNK_HOME/etc/apps/*base_app_name*/auth/*file_name*.pem 
sslRootCAPath= SPLUNK_HOME/etc/apps/*base_app_name*/auth/*file_name*.pem ### note rootCA is depreciated 
sslPassword = #password

[deployment]
pass4SymmKey = #password

You also need an outputs.conf

[tcpout]
sslPassword = #password
clientCert = SPLUNK_HOME/etc/apps/*base_app_name*/auth/*file_name*.pem 
sslVersion = # version ### optional

Hope this helps

View solution in original post

anmolpatel · ‎02-26-2020

You would need the certificate on the syslog server
I would update the app structure to the below so you can push the config to multiple endpoints via the deployment server

base_app_name EG: org_environment_type_base_app
-- auth
---- serverCert.pem
---- rootCACert.pem
-- defaults OR local
---- inputs.conf
---- server.conf
---- outputs.conf

Your inputs.conf should contain

[SSL]
serverCert = SPLUNK_HOME/etc/apps/*base_app_name*/auth/*file_name*.pem
sslPassword = #encryptedPassword
sslVersion = # version ### optional
requiredClientCert = # boolean

your server.conf should contain

[sslConfig]
serverCert = SPLUNK_HOME/etc/apps/*base_app_name*/auth/*file_name*.pem 
sslRootCAPath= SPLUNK_HOME/etc/apps/*base_app_name*/auth/*file_name*.pem ### note rootCA is depreciated 
sslPassword = #password

[deployment]
pass4SymmKey = #password

You also need an outputs.conf

[tcpout]
sslPassword = #password
clientCert = SPLUNK_HOME/etc/apps/*base_app_name*/auth/*file_name*.pem 
sslVersion = # version ### optional

Hope this helps

tskubisz · ‎03-05-2020

Thank you for help.
I not sure did I correct understand this steps.
Is that mean that I need to generate new certificate for client and upload this on Device from syslog is sending? (Synology NAS in my case)
Also can't find what is default password. I don't created any password for SSL.

anmolpatel · ‎03-05-2020

@tskubisz This will give you a walkthrough on how to generate it all for Splunk
https://docs.splunk.com/Documentation/Splunk/8.0.2/Security/Howtoself-signcertificates

Yes, the certificate needs to be on the Device sending the syslog, go through this document for a thorough walkthrough
https://docs.splunk.com/Documentation/Splunk/8.0.2/Security/ConfigureSplunkforwardingtousesignedcert...

Validation step:
https://docs.splunk.com/Documentation/Splunk/8.0.2/Security/Validateyourconfiguration

TCP Data Input and SSL

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?