I recently enabled SSL connection between forwarders and indexers. When I check the metrics log for a UF with SSL enabled , i see this in the data. The connection type is showing as cookedSSL but ssl=fasle. Does that mean the connection is not secure? And the surprising part is, i see events in metrics.log for the same host with ssl=true entries. I am confused.
08-15-2019 16:10:56.061 +0000 INFO Metrics - group=tcpin_connections, xx.zz.yy.xx:52306:9997, connectionType=cookedSSL, sourcePort=52306, sourceHost=10.176.240.50, sourceIp=10.176.240.50, destPort=9997, kb=0.33, _tcp_Bps=10.97, _tcp_KBps=0.01, _tcp_avg_thruput=1.19, _tcp_Kprocessed=158.37, _tcp_eps=0.03, _process_time_ms=0, evt_misc_kBps=0.00, evt_raw_kBps=0.00, evt_fields_kBps=0.00, evt_fn_kBps=0.00, evt_fv_kBps=0.00, evt_fn_str_kBps=0.00, evt_fn_meta_dyn_kBps=0.00, evt_fn_meta_predef_kBps=0.00, evt_fn_meta_str_kBps=0.00, evt_fv_num_kBps=0.00, evt_fv_str_kBps=0.00, evt_fv_predef_kBps=0.00, evt_fv_offlen_kBps=0.00, evt_fv_fp_kBps=0.00, build=f817a93effc2, version=7.2.7, os=Linux, arch=x86_64, hostname=deployer, guid=6C69F32A-8F26-4F9F-831D-CA1623C5FA4A, fwdType=full, ssl=false, lastIndexer="10.176.240.39:9997,10.176.240.85:9997", ack=true
To verify, please run this search on the SH (if all nodes are sending their internal logs to the indexing layer) :
index=_internal source=metrics.log group=tcpin_connections |
dedup hostname | table _time hostname version sourceIp destPort ssl
alternatively you can check manually verify the port using the openssl suite:
/opt/splunk/bin/splunk cmd openssl s_client -connect :
https://docs.splunk.com/Documentation/Splunk/7.3.1/Security/Validateyourconfiguration
Hope this helps!
i was using that link for the verification that's where I noticed that log. I dont see any errors in splunkd.log about SSL, both on indexers and forwarders. I think the secure communication is working but wanted to confirm that.
Is the forwarder using indexer discovery ?
Hey anoopdi,
Did you get any clarity with whether the communication is been secured or no ? Because I am getting the exact entries in the internal logs. (connectionType=cookedSSL but SSL=false sometimes and SSL=true sometimes).
@anoopdi : Did you get any confirmation on this?