Security

TCP Data Input and SSL

tskubisz
Engager

Hi there.

I trying to configure Splunk to receiving data from TCP port 514.

I using default Splunk certificates witch are generated in /opt/splunk/etc/auth

I configured inputs.conf :

[tcp-ssl:514]
sourcetype = syslog

[SSL]

rootCA = /opt/splunk/etc/auth/cacert.pem
serverCert = /opt/splunk/etc/auth/server.pem

On my network device I configured to send syslog to my Splunk server address via Tcp port 514 and import cacert.pem

After that i can't explore logs via this device but logos are hashed.

What I am doing wrong?

0 Karma
1 Solution

anmolpatel
Builder

You would need the certificate on the syslog server
I would update the app structure to the below so you can push the config to multiple endpoints via the deployment server

base_app_name EG: org_environment_type_base_app
-- auth
---- serverCert.pem
---- rootCACert.pem
-- defaults OR local
---- inputs.conf
---- server.conf
---- outputs.conf

Your inputs.conf should contain

[SSL]
serverCert = SPLUNK_HOME/etc/apps/*base_app_name*/auth/*file_name*.pem
sslPassword = #encryptedPassword
sslVersion = # version ### optional
requiredClientCert = # boolean

your server.conf should contain

[sslConfig]
serverCert = SPLUNK_HOME/etc/apps/*base_app_name*/auth/*file_name*.pem 
sslRootCAPath= SPLUNK_HOME/etc/apps/*base_app_name*/auth/*file_name*.pem ### note rootCA is depreciated 
sslPassword = #password

[deployment]
pass4SymmKey = #password

You also need an outputs.conf

[tcpout]
sslPassword = #password
clientCert = SPLUNK_HOME/etc/apps/*base_app_name*/auth/*file_name*.pem 
sslVersion = # version ### optional

Hope this helps

View solution in original post

0 Karma

anmolpatel
Builder

You would need the certificate on the syslog server
I would update the app structure to the below so you can push the config to multiple endpoints via the deployment server

base_app_name EG: org_environment_type_base_app
-- auth
---- serverCert.pem
---- rootCACert.pem
-- defaults OR local
---- inputs.conf
---- server.conf
---- outputs.conf

Your inputs.conf should contain

[SSL]
serverCert = SPLUNK_HOME/etc/apps/*base_app_name*/auth/*file_name*.pem
sslPassword = #encryptedPassword
sslVersion = # version ### optional
requiredClientCert = # boolean

your server.conf should contain

[sslConfig]
serverCert = SPLUNK_HOME/etc/apps/*base_app_name*/auth/*file_name*.pem 
sslRootCAPath= SPLUNK_HOME/etc/apps/*base_app_name*/auth/*file_name*.pem ### note rootCA is depreciated 
sslPassword = #password

[deployment]
pass4SymmKey = #password

You also need an outputs.conf

[tcpout]
sslPassword = #password
clientCert = SPLUNK_HOME/etc/apps/*base_app_name*/auth/*file_name*.pem 
sslVersion = # version ### optional

Hope this helps

0 Karma

tskubisz
Engager

Thank you for help.
I not sure did I correct understand this steps.
Is that mean that I need to generate new certificate for client and upload this on Device from syslog is sending? (Synology NAS in my case)
Also can't find what is default password. I don't created any password for SSL.

0 Karma

anmolpatel
Builder

@tskubisz This will give you a walkthrough on how to generate it all for Splunk
https://docs.splunk.com/Documentation/Splunk/8.0.2/Security/Howtoself-signcertificates

Yes, the certificate needs to be on the Device sending the syslog, go through this document for a thorough walkthrough
https://docs.splunk.com/Documentation/Splunk/8.0.2/Security/ConfigureSplunkforwardingtousesignedcert...

Validation step:
https://docs.splunk.com/Documentation/Splunk/8.0.2/Security/Validateyourconfiguration

0 Karma
Get Updates on the Splunk Community!

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...