Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Tcp data input and ssl

Hari
Observer
‎09-01-2020 06:15 AM

I have configured /local/inputs.confg file for tcp input data for ssl as suggested in documents. But after restart the splunk when it is not working. 

I am using 8.x version. Please suggest the way to securely send tcp data from my application to splunk server using ssl certificate.

Labels (1)
Labels
0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎09-08-2020 11:24 AM

@Hari 
Are you forwarding events to Splunk using HTTP event collector?

————————————
If this helps, give a like below.
0 Karma
Reply

Hari
Observer
‎09-08-2020 12:09 PM

I am forwarding data using tcp data input. So if I  send data to tcp input data port, data is recieved  successfully ( I am not using any data security certificate). But I want to use ssl security certificate for this data transmission. 

Is there any way to send data  to splunk tcp data input port by using ssl/tls security certificate.

Note: I want to mention that I am using Serilog logging framework in my application to send data to splunk.

0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎09-08-2020 12:37 PM

You can follow the process I shared in my first answer.

————————————
If this helps, give a like below.
0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎09-01-2020 07:17 AM

It's not very easy process. 

I should explain starting from generating CSR.

 

 

#Switch user to user which is running splunkd service, for example: splunkd is running with splunk user.

sudo su - splunk
# Change directory to $SPLUNK_HOME, for example splunk is under /opt
cd /opt/splunk/

#1 Generate Key this will prompt for passphrase, key in and remember the passphrase
openssl genrsa -des3 -out splunk_2_splunk_server.key 3072

#2 Add All your Indexers or Heavy forwarders ( this is basically receiver/server) to issue single certifcate) with Cert Details for the above key

#3 Make sure to fill replace all values inside <>
# for example /C=India
# DNS:splunkidx02.domain.com

openssl req -new -sha256 -key splunk_2_splunk_server.key -out splunk_2_splunk_server.csr -subj "/C=<country>/ST=<state>/L=<location>/O=<organization>/OU=<organizational_unit>/CN=<certficate_name>" -reqexts SAN -config <(cat /opt/splunk/openssl/openssl.cnf <(printf "req_extensions = v3_req\n[SAN]\nsubjectAltName=DNS:<receiver1_fqdn>,DNS:<receiver2_fqdn>")) -out splunk_2_splunk_server.csr

#4 View CSR in plain text for validation
openssl req -in splunk_2_splunk_server.csr -noout -text

repeat steps #1-#4 to create a CSR for client, don't use same passphrase for both client and server.

for example you have created client csr "splunk_2_splunk_client.csr"
and server csr "splunk_2_splunk_server.csr" 
sign both of them using your CA.

# if your company provides p7b cert, you can convert p7b to pem because pem is required in splunk
openssl pkcs7 -print_certs -in <yourcert>.p7b -out splunk_2_splunk.pem 

Now, you have client key with passphrase, client pem certificate and server key with passphrase, server pem certificate.


#this should go to server ( HF or Indexer)
create an app appforhforindexer
create a directory cert inside it
create server.pem inside cert directory

server.pem: is combination of below

server_signed_cert.pem
server.key
internmediate.pem (if any)
root.pem

#I have deployed app to HF/Indexer using Deployment server.
/opt/splunk/etc/deployment-apps/<appforhforindexer>/local/inputs.conf

[splunktcp-ssl:9997]
disabled = 0

[SSL]
serverCert = $SPLUNK_HOME/etc/apps/<appforhforindexer>/cert/server.pem
requireClientCert = false
sslPassword = <server_key_passphraseinplaintext>


Client Configuration (this should go to universal forwarders)
create an app appforclient
create a directory cert inside it
create client.pem inside cert directory

client.pem: is combination of below

client_signed_cert.pem
client.key
internmediate.pem (if any)
root.pem

/opt/splunk/etc/deployment-apps/<appforclient>/local/outputs.conf
[tcpout]
defaultGroup = <yourtcpoutgroup>

[tcpout:<yourtcpoutgroup>]
server = server1:9997,server2:9997

clientCert = $SPLUNK_HOME/etc/apps/<appforclient>/cert/client.pem
sslPassword = <client_key_passphraseinplaintext>
useClientSSLCompression = true
sslVerifyServerCert = false

 

 

————————————
If this helps, give a like below.
0 Karma
Reply

Hari
Observer
‎09-07-2020 12:12 AM

Hello, 

Do i need to add Protocal data input add-on to the splunk to communicate my application with splunk on ssl tcp.  I want to inform here that i am using Serilog API's TCPSyslog() to send message to splunk.

I am using Splunk 8.0.X version on windows 10.

Please suggest the way to send data to splunk using secured tcp input. And also inform me if any additional setting need to do in splunk. I am totally new to this tool.

0 Karma
Reply
Get Updates on the Splunk Community!

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...