Security

Verifying Secure Communication between forwarders and indexers

anoopdi
Path Finder

I recently enabled SSL connection between forwarders and indexers. When I check the metrics log for a UF with SSL enabled , i see this in the data. The connection type is showing as cookedSSL but ssl=fasle. Does that mean the connection is not secure? And the surprising part is, i see events in metrics.log for the same host with ssl=true entries. I am confused.

08-15-2019 16:10:56.061 +0000 INFO Metrics - group=tcpin_connections, xx.zz.yy.xx:52306:9997, connectionType=cookedSSL, sourcePort=52306, sourceHost=10.176.240.50, sourceIp=10.176.240.50, destPort=9997, kb=0.33, _tcp_Bps=10.97, _tcp_KBps=0.01, _tcp_avg_thruput=1.19, _tcp_Kprocessed=158.37, _tcp_eps=0.03, _process_time_ms=0, evt_misc_kBps=0.00, evt_raw_kBps=0.00, evt_fields_kBps=0.00, evt_fn_kBps=0.00, evt_fv_kBps=0.00, evt_fn_str_kBps=0.00, evt_fn_meta_dyn_kBps=0.00, evt_fn_meta_predef_kBps=0.00, evt_fn_meta_str_kBps=0.00, evt_fv_num_kBps=0.00, evt_fv_str_kBps=0.00, evt_fv_predef_kBps=0.00, evt_fv_offlen_kBps=0.00, evt_fv_fp_kBps=0.00, build=f817a93effc2, version=7.2.7, os=Linux, arch=x86_64, hostname=deployer, guid=6C69F32A-8F26-4F9F-831D-CA1623C5FA4A, fwdType=full, ssl=false, lastIndexer="10.176.240.39:9997,10.176.240.85:9997", ack=true

Labels (1)
Tags (2)

mguhad
Communicator

To verify, please run this search on the SH (if all nodes are sending their internal logs to the indexing layer) :
index=_internal source=metrics.log group=tcpin_connections |
dedup hostname | table _time hostname version sourceIp destPort ssl

alternatively you can check manually verify the port using the openssl suite:
/opt/splunk/bin/splunk cmd openssl s_client -connect :

https://docs.splunk.com/Documentation/Splunk/7.3.1/Security/Validateyourconfiguration
Hope this helps!

0 Karma

somesoni2
SplunkTrust
SplunkTrust
0 Karma

anoopdi
Path Finder

i was using that link for the verification that's where I noticed that log. I dont see any errors in splunkd.log about SSL, both on indexers and forwarders. I think the secure communication is working but wanted to confirm that.

0 Karma

hrawat_splunk
Splunk Employee
Splunk Employee

Is the forwarder using indexer discovery ?

0 Karma

aaditi25
Loves-to-Learn Lots

Hey anoopdi,

Did you get any clarity with whether the communication is been secured or no ? Because I am getting the exact entries in the internal logs. (connectionType=cookedSSL but SSL=false sometimes and SSL=true sometimes).

0 Karma

ansif
Motivator

@anoopdi : Did you get any confirmation on this?

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...