Tcp data input and ssl


I have configured /local/inputs.confg file for tcp input data for ssl as suggested in documents. But after restart the splunk when it is not working. 

I am using 8.x version. Please suggest the way to securely send tcp data from my application to splunk server using ssl certificate.

Labels (1)
0 Karma

Super Champion

Are you forwarding events to Splunk using HTTP event collector?

If this helps, give a like below.
0 Karma


I am forwarding data using tcp data input. So if I  send data to tcp input data port, data is recieved  successfully ( I am not using any data security certificate). But I want to use ssl security certificate for this data transmission. 

Is there any way to send data  to splunk tcp data input port by using ssl/tls security certificate.

Note: I want to mention that I am using Serilog logging framework in my application to send data to splunk.

0 Karma

Super Champion

You can follow the process I shared in my first answer.

If this helps, give a like below.
0 Karma

Super Champion

It's not very easy process. 

I should explain starting from generating CSR.



#Switch user to user which is running splunkd service, for example: splunkd is running with splunk user.

sudo su - splunk
# Change directory to $SPLUNK_HOME, for example splunk is under /opt
cd /opt/splunk/

#1 Generate Key this will prompt for passphrase, key in and remember the passphrase
openssl genrsa -des3 -out splunk_2_splunk_server.key 3072

#2 Add All your Indexers or Heavy forwarders ( this is basically receiver/server) to issue single certifcate) with Cert Details for the above key

#3 Make sure to fill replace all values inside <>
# for example /C=India

openssl req -new -sha256 -key splunk_2_splunk_server.key -out splunk_2_splunk_server.csr -subj "/C=<country>/ST=<state>/L=<location>/O=<organization>/OU=<organizational_unit>/CN=<certficate_name>" -reqexts SAN -config <(cat /opt/splunk/openssl/openssl.cnf <(printf "req_extensions = v3_req\n[SAN]\nsubjectAltName=DNS:<receiver1_fqdn>,DNS:<receiver2_fqdn>")) -out splunk_2_splunk_server.csr

#4 View CSR in plain text for validation
openssl req -in splunk_2_splunk_server.csr -noout -text

repeat steps #1-#4 to create a CSR for client, don't use same passphrase for both client and server.

for example you have created client csr "splunk_2_splunk_client.csr"
and server csr "splunk_2_splunk_server.csr" 
sign both of them using your CA.

# if your company provides p7b cert, you can convert p7b to pem because pem is required in splunk
openssl pkcs7 -print_certs -in <yourcert>.p7b -out splunk_2_splunk.pem 

Now, you have client key with passphrase, client pem certificate and server key with passphrase, server pem certificate.

#this should go to server ( HF or Indexer)
create an app appforhforindexer
create a directory cert inside it
create server.pem inside cert directory

server.pem: is combination of below

internmediate.pem (if any)

#I have deployed app to HF/Indexer using Deployment server.

disabled = 0

serverCert = $SPLUNK_HOME/etc/apps/<appforhforindexer>/cert/server.pem
requireClientCert = false
sslPassword = <server_key_passphraseinplaintext>

Client Configuration (this should go to universal forwarders)
create an app appforclient
create a directory cert inside it
create client.pem inside cert directory

client.pem: is combination of below

internmediate.pem (if any)

defaultGroup = <yourtcpoutgroup>

server = server1:9997,server2:9997

clientCert = $SPLUNK_HOME/etc/apps/<appforclient>/cert/client.pem
sslPassword = <client_key_passphraseinplaintext>
useClientSSLCompression = true
sslVerifyServerCert = false



If this helps, give a like below.
0 Karma



Do i need to add Protocal data input add-on to the splunk to communicate my application with splunk on ssl tcp.  I want to inform here that i am using Serilog API's TCPSyslog() to send message to splunk.

I am using Splunk 8.0.X version on windows 10.

Please suggest the way to send data to splunk using secured tcp input. And also inform me if any additional setting need to do in splunk. I am totally new to this tool.

0 Karma
Get Updates on the Splunk Community!

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...

What's New in Splunk Cloud Platform 9.0.2208?!

Howdy!  We are happy to share the newest updates in Splunk Cloud Platform 9.0.2208! Analysts can benefit ...

Admin Console: A Single, Unified Interface for All Your Cloud Admin Needs

WATCH NOWJoin us to learn how the admin console can save you time and give you more control over the Splunk® ...