Security

TCP Data Input and SSL

tskubisz
Engager

Hi there.

I trying to configure Splunk to receiving data from TCP port 514.

I using default Splunk certificates witch are generated in /opt/splunk/etc/auth

I configured inputs.conf :

[tcp-ssl:514]
sourcetype = syslog

[SSL]

rootCA = /opt/splunk/etc/auth/cacert.pem
serverCert = /opt/splunk/etc/auth/server.pem

On my network device I configured to send syslog to my Splunk server address via Tcp port 514 and import cacert.pem

After that i can't explore logs via this device but logos are hashed.

What I am doing wrong?

0 Karma
1 Solution

anmolpatel
Builder

You would need the certificate on the syslog server
I would update the app structure to the below so you can push the config to multiple endpoints via the deployment server

base_app_name EG: org_environment_type_base_app
-- auth
---- serverCert.pem
---- rootCACert.pem
-- defaults OR local
---- inputs.conf
---- server.conf
---- outputs.conf

Your inputs.conf should contain

[SSL]
serverCert = SPLUNK_HOME/etc/apps/*base_app_name*/auth/*file_name*.pem
sslPassword = #encryptedPassword
sslVersion = # version ### optional
requiredClientCert = # boolean

your server.conf should contain

[sslConfig]
serverCert = SPLUNK_HOME/etc/apps/*base_app_name*/auth/*file_name*.pem 
sslRootCAPath= SPLUNK_HOME/etc/apps/*base_app_name*/auth/*file_name*.pem ### note rootCA is depreciated 
sslPassword = #password

[deployment]
pass4SymmKey = #password

You also need an outputs.conf

[tcpout]
sslPassword = #password
clientCert = SPLUNK_HOME/etc/apps/*base_app_name*/auth/*file_name*.pem 
sslVersion = # version ### optional

Hope this helps

View solution in original post

0 Karma

anmolpatel
Builder

You would need the certificate on the syslog server
I would update the app structure to the below so you can push the config to multiple endpoints via the deployment server

base_app_name EG: org_environment_type_base_app
-- auth
---- serverCert.pem
---- rootCACert.pem
-- defaults OR local
---- inputs.conf
---- server.conf
---- outputs.conf

Your inputs.conf should contain

[SSL]
serverCert = SPLUNK_HOME/etc/apps/*base_app_name*/auth/*file_name*.pem
sslPassword = #encryptedPassword
sslVersion = # version ### optional
requiredClientCert = # boolean

your server.conf should contain

[sslConfig]
serverCert = SPLUNK_HOME/etc/apps/*base_app_name*/auth/*file_name*.pem 
sslRootCAPath= SPLUNK_HOME/etc/apps/*base_app_name*/auth/*file_name*.pem ### note rootCA is depreciated 
sslPassword = #password

[deployment]
pass4SymmKey = #password

You also need an outputs.conf

[tcpout]
sslPassword = #password
clientCert = SPLUNK_HOME/etc/apps/*base_app_name*/auth/*file_name*.pem 
sslVersion = # version ### optional

Hope this helps

0 Karma

tskubisz
Engager

Thank you for help.
I not sure did I correct understand this steps.
Is that mean that I need to generate new certificate for client and upload this on Device from syslog is sending? (Synology NAS in my case)
Also can't find what is default password. I don't created any password for SSL.

0 Karma

anmolpatel
Builder

@tskubisz This will give you a walkthrough on how to generate it all for Splunk
https://docs.splunk.com/Documentation/Splunk/8.0.2/Security/Howtoself-signcertificates

Yes, the certificate needs to be on the Device sending the syslog, go through this document for a thorough walkthrough
https://docs.splunk.com/Documentation/Splunk/8.0.2/Security/ConfigureSplunkforwardingtousesignedcert...

Validation step:
https://docs.splunk.com/Documentation/Splunk/8.0.2/Security/Validateyourconfiguration

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...