Security

Tcp data input and ssl

Hari
Observer

I have configured /local/inputs.confg file for tcp input data for ssl as suggested in documents. But after restart the splunk when it is not working. 

I am using 8.x version. Please suggest the way to securely send tcp data from my application to splunk server using ssl certificate.

Labels (1)
0 Karma

thambisetty
Super Champion

@Hari 
Are you forwarding events to Splunk using HTTP event collector?

————————————
If this helps, give a like below.
0 Karma

Hari
Observer

I am forwarding data using tcp data input. So if I  send data to tcp input data port, data is recieved  successfully ( I am not using any data security certificate). But I want to use ssl security certificate for this data transmission. 

Is there any way to send data  to splunk tcp data input port by using ssl/tls security certificate.

Note: I want to mention that I am using Serilog logging framework in my application to send data to splunk.

0 Karma

thambisetty
Super Champion

You can follow the process I shared in my first answer.

————————————
If this helps, give a like below.
0 Karma

thambisetty
Super Champion

It's not very easy process. 

I should explain starting from generating CSR.

 

 

#Switch user to user which is running splunkd service, for example: splunkd is running with splunk user.

sudo su - splunk
# Change directory to $SPLUNK_HOME, for example splunk is under /opt
cd /opt/splunk/

#1 Generate Key this will prompt for passphrase, key in and remember the passphrase
openssl genrsa -des3 -out splunk_2_splunk_server.key 3072

#2 Add All your Indexers or Heavy forwarders ( this is basically receiver/server) to issue single certifcate) with Cert Details for the above key

#3 Make sure to fill replace all values inside <>
# for example /C=India
# DNS:splunkidx02.domain.com

openssl req -new -sha256 -key splunk_2_splunk_server.key -out splunk_2_splunk_server.csr -subj "/C=<country>/ST=<state>/L=<location>/O=<organization>/OU=<organizational_unit>/CN=<certficate_name>" -reqexts SAN -config <(cat /opt/splunk/openssl/openssl.cnf <(printf "req_extensions = v3_req\n[SAN]\nsubjectAltName=DNS:<receiver1_fqdn>,DNS:<receiver2_fqdn>")) -out splunk_2_splunk_server.csr

#4 View CSR in plain text for validation
openssl req -in splunk_2_splunk_server.csr -noout -text

repeat steps #1-#4 to create a CSR for client, don't use same passphrase for both client and server.

for example you have created client csr "splunk_2_splunk_client.csr"
and server csr "splunk_2_splunk_server.csr" 
sign both of them using your CA.

# if your company provides p7b cert, you can convert p7b to pem because pem is required in splunk
openssl pkcs7 -print_certs -in <yourcert>.p7b -out splunk_2_splunk.pem 

Now, you have client key with passphrase, client pem certificate and server key with passphrase, server pem certificate.


#this should go to server ( HF or Indexer)
create an app appforhforindexer
create a directory cert inside it
create server.pem inside cert directory

server.pem: is combination of below

server_signed_cert.pem
server.key
internmediate.pem (if any)
root.pem

#I have deployed app to HF/Indexer using Deployment server.
/opt/splunk/etc/deployment-apps/<appforhforindexer>/local/inputs.conf

[splunktcp-ssl:9997]
disabled = 0

[SSL]
serverCert = $SPLUNK_HOME/etc/apps/<appforhforindexer>/cert/server.pem
requireClientCert = false
sslPassword = <server_key_passphraseinplaintext>


Client Configuration (this should go to universal forwarders)
create an app appforclient
create a directory cert inside it
create client.pem inside cert directory

client.pem: is combination of below

client_signed_cert.pem
client.key
internmediate.pem (if any)
root.pem

/opt/splunk/etc/deployment-apps/<appforclient>/local/outputs.conf
[tcpout]
defaultGroup = <yourtcpoutgroup>

[tcpout:<yourtcpoutgroup>]
server = server1:9997,server2:9997

clientCert = $SPLUNK_HOME/etc/apps/<appforclient>/cert/client.pem
sslPassword = <client_key_passphraseinplaintext>
useClientSSLCompression = true
sslVerifyServerCert = false



 

 

————————————
If this helps, give a like below.
0 Karma

Hari
Observer

Hello, 

Do i need to add Protocal data input add-on to the splunk to communicate my application with splunk on ssl tcp.  I want to inform here that i am using Serilog API's TCPSyslog() to send message to splunk.

I am using Splunk 8.0.X version on windows 10.

Please suggest the way to send data to splunk using secured tcp input. And also inform me if any additional setting need to do in splunk. I am totally new to this tool.

0 Karma
Get Updates on the Splunk Community!

Happy CX Day to our Community Superheroes!

Happy 10th Birthday CX Day!What is CX Day? It’s a global celebration recognizing innovation and success in the ...

Check out This Month’s Brand new Splunk Lantern Articles

Splunk Lantern is a customer success center providing advice from Splunk experts on valuable data insights, ...

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...