Security

TCP Data Input and SSL

tskubisz
Engager

Hi there.

I trying to configure Splunk to receiving data from TCP port 514.

I using default Splunk certificates witch are generated in /opt/splunk/etc/auth

I configured inputs.conf :

[tcp-ssl:514]
sourcetype = syslog

[SSL]

rootCA = /opt/splunk/etc/auth/cacert.pem
serverCert = /opt/splunk/etc/auth/server.pem

On my network device I configured to send syslog to my Splunk server address via Tcp port 514 and import cacert.pem

After that i can't explore logs via this device but logos are hashed.

What I am doing wrong?

0 Karma
1 Solution

anmolpatel
Builder

You would need the certificate on the syslog server
I would update the app structure to the below so you can push the config to multiple endpoints via the deployment server

base_app_name EG: org_environment_type_base_app
-- auth
---- serverCert.pem
---- rootCACert.pem
-- defaults OR local
---- inputs.conf
---- server.conf
---- outputs.conf

Your inputs.conf should contain

[SSL]
serverCert = SPLUNK_HOME/etc/apps/*base_app_name*/auth/*file_name*.pem
sslPassword = #encryptedPassword
sslVersion = # version ### optional
requiredClientCert = # boolean

your server.conf should contain

[sslConfig]
serverCert = SPLUNK_HOME/etc/apps/*base_app_name*/auth/*file_name*.pem 
sslRootCAPath= SPLUNK_HOME/etc/apps/*base_app_name*/auth/*file_name*.pem ### note rootCA is depreciated 
sslPassword = #password

[deployment]
pass4SymmKey = #password

You also need an outputs.conf

[tcpout]
sslPassword = #password
clientCert = SPLUNK_HOME/etc/apps/*base_app_name*/auth/*file_name*.pem 
sslVersion = # version ### optional

Hope this helps

View solution in original post

0 Karma

anmolpatel
Builder

You would need the certificate on the syslog server
I would update the app structure to the below so you can push the config to multiple endpoints via the deployment server

base_app_name EG: org_environment_type_base_app
-- auth
---- serverCert.pem
---- rootCACert.pem
-- defaults OR local
---- inputs.conf
---- server.conf
---- outputs.conf

Your inputs.conf should contain

[SSL]
serverCert = SPLUNK_HOME/etc/apps/*base_app_name*/auth/*file_name*.pem
sslPassword = #encryptedPassword
sslVersion = # version ### optional
requiredClientCert = # boolean

your server.conf should contain

[sslConfig]
serverCert = SPLUNK_HOME/etc/apps/*base_app_name*/auth/*file_name*.pem 
sslRootCAPath= SPLUNK_HOME/etc/apps/*base_app_name*/auth/*file_name*.pem ### note rootCA is depreciated 
sslPassword = #password

[deployment]
pass4SymmKey = #password

You also need an outputs.conf

[tcpout]
sslPassword = #password
clientCert = SPLUNK_HOME/etc/apps/*base_app_name*/auth/*file_name*.pem 
sslVersion = # version ### optional

Hope this helps

0 Karma

tskubisz
Engager

Thank you for help.
I not sure did I correct understand this steps.
Is that mean that I need to generate new certificate for client and upload this on Device from syslog is sending? (Synology NAS in my case)
Also can't find what is default password. I don't created any password for SSL.

0 Karma

anmolpatel
Builder

@tskubisz This will give you a walkthrough on how to generate it all for Splunk
https://docs.splunk.com/Documentation/Splunk/8.0.2/Security/Howtoself-signcertificates

Yes, the certificate needs to be on the Device sending the syslog, go through this document for a thorough walkthrough
https://docs.splunk.com/Documentation/Splunk/8.0.2/Security/ConfigureSplunkforwardingtousesignedcert...

Validation step:
https://docs.splunk.com/Documentation/Splunk/8.0.2/Security/Validateyourconfiguration

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Laser Bananas and Edge Hubs: Exploring Operational Technology (OT) Data Through a ...

  OT is a different environment to traditional IT and can have interesting challenges when interfacing the ...

Event Series: Mastering AI Tokenomics and Splunk Agent Observability

Beyond the Black Box: Correlating AI Performance and Tokenomics with Splunk Agent Observability   As ...

span_metrics: The OpenTelemetry-Idiomatic Way to See Inside Your Services

You open a trace in Splunk Observability Cloud and everything looks fine. One root span, order-pipeline, with ...