Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Verifying Secure Communication between forwarders and indexers

anoopdi
Path Finder
‎08-15-2019 09:22 AM

I recently enabled SSL connection between forwarders and indexers. When I check the metrics log for a UF with SSL enabled , i see this in the data. The connection type is showing as cookedSSL but ssl=fasle. Does that mean the connection is not secure? And the surprising part is, i see events in metrics.log for the same host with ssl=true entries. I am confused.

08-15-2019 16:10:56.061 +0000 INFO Metrics - group=tcpin_connections, xx.zz.yy.xx:52306:9997, connectionType=cookedSSL, sourcePort=52306, sourceHost=10.176.240.50, sourceIp=10.176.240.50, destPort=9997, kb=0.33, _tcp_Bps=10.97, _tcp_KBps=0.01, _tcp_avg_thruput=1.19, _tcp_Kprocessed=158.37, _tcp_eps=0.03, _process_time_ms=0, evt_misc_kBps=0.00, evt_raw_kBps=0.00, evt_fields_kBps=0.00, evt_fn_kBps=0.00, evt_fv_kBps=0.00, evt_fn_str_kBps=0.00, evt_fn_meta_dyn_kBps=0.00, evt_fn_meta_predef_kBps=0.00, evt_fn_meta_str_kBps=0.00, evt_fv_num_kBps=0.00, evt_fv_str_kBps=0.00, evt_fv_predef_kBps=0.00, evt_fv_offlen_kBps=0.00, evt_fv_fp_kBps=0.00, build=f817a93effc2, version=7.2.7, os=Linux, arch=x86_64, hostname=deployer, guid=6C69F32A-8F26-4F9F-831D-CA1623C5FA4A, fwdType=full, ssl=false, lastIndexer="10.176.240.39:9997,10.176.240.85:9997", ack=true

Labels (1)
Labels
Tags (2)
Reply

mguhad
Communicator
‎05-21-2020 02:28 PM

To verify, please run this search on the SH (if all nodes are sending their internal logs to the indexing layer) :
index=_internal source=metrics.log group=tcpin_connections |
dedup hostname | table _time hostname version sourceIp destPort ssl

alternatively you can check manually verify the port using the openssl suite:
/opt/splunk/bin/splunk cmd openssl s_client -connect :

https://docs.splunk.com/Documentation/Splunk/7.3.1/Security/Validateyourconfiguration
Hope this helps!

0 Karma
Reply

somesoni2
Revered Legend
‎08-15-2019 10:41 AM

See this:
https://docs.splunk.com/Documentation/Splunk/7.3.1/Security/Validateyourconfiguration

0 Karma
Reply

anoopdi
Path Finder
‎08-15-2019 11:05 AM

i was using that link for the verification that's where I noticed that log. I dont see any errors in splunkd.log about SSL, both on indexers and forwarders. I think the secure communication is working but wanted to confirm that.

0 Karma
Reply

hrawat_splunk
Splunk Employee
Splunk Employee
‎11-21-2023 08:29 PM

Is the forwarder using indexer discovery ?

0 Karma
Reply

aaditi25
Loves-to-Learn Lots
‎12-18-2021 11:24 PM

Hey anoopdi,

Did you get any clarity with whether the communication is been secured or no ? Because I am getting the exact entries in the internal logs. (connectionType=cookedSSL but SSL=false sometimes and SSL=true sometimes).

0 Karma
Reply

ansif
Motivator
‎05-21-2020 07:49 AM

@anoopdi : Did you get any confirmation on this?

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...