Security

Verifying Secure Communication between forwarders and indexers

anoopdi
Path Finder

I recently enabled SSL connection between forwarders and indexers. When I check the metrics log for a UF with SSL enabled , i see this in the data. The connection type is showing as cookedSSL but ssl=fasle. Does that mean the connection is not secure? And the surprising part is, i see events in metrics.log for the same host with ssl=true entries. I am confused.

08-15-2019 16:10:56.061 +0000 INFO Metrics - group=tcpin_connections, xx.zz.yy.xx:52306:9997, connectionType=cookedSSL, sourcePort=52306, sourceHost=10.176.240.50, sourceIp=10.176.240.50, destPort=9997, kb=0.33, _tcp_Bps=10.97, _tcp_KBps=0.01, _tcp_avg_thruput=1.19, _tcp_Kprocessed=158.37, _tcp_eps=0.03, _process_time_ms=0, evt_misc_kBps=0.00, evt_raw_kBps=0.00, evt_fields_kBps=0.00, evt_fn_kBps=0.00, evt_fv_kBps=0.00, evt_fn_str_kBps=0.00, evt_fn_meta_dyn_kBps=0.00, evt_fn_meta_predef_kBps=0.00, evt_fn_meta_str_kBps=0.00, evt_fv_num_kBps=0.00, evt_fv_str_kBps=0.00, evt_fv_predef_kBps=0.00, evt_fv_offlen_kBps=0.00, evt_fv_fp_kBps=0.00, build=f817a93effc2, version=7.2.7, os=Linux, arch=x86_64, hostname=deployer, guid=6C69F32A-8F26-4F9F-831D-CA1623C5FA4A, fwdType=full, ssl=false, lastIndexer="10.176.240.39:9997,10.176.240.85:9997", ack=true

Labels (1)
Tags (2)

mguhad
Communicator

To verify, please run this search on the SH (if all nodes are sending their internal logs to the indexing layer) :
index=_internal source=metrics.log group=tcpin_connections |
dedup hostname | table _time hostname version sourceIp destPort ssl

alternatively you can check manually verify the port using the openssl suite:
/opt/splunk/bin/splunk cmd openssl s_client -connect :

https://docs.splunk.com/Documentation/Splunk/7.3.1/Security/Validateyourconfiguration
Hope this helps!

0 Karma

somesoni2
Revered Legend
0 Karma

anoopdi
Path Finder

i was using that link for the verification that's where I noticed that log. I dont see any errors in splunkd.log about SSL, both on indexers and forwarders. I think the secure communication is working but wanted to confirm that.

0 Karma

hrawat_splunk
Splunk Employee
Splunk Employee

Is the forwarder using indexer discovery ?

0 Karma

aaditi25
Loves-to-Learn Lots

Hey anoopdi,

Did you get any clarity with whether the communication is been secured or no ? Because I am getting the exact entries in the internal logs. (connectionType=cookedSSL but SSL=false sometimes and SSL=true sometimes).

0 Karma

ansif
Motivator

@anoopdi : Did you get any confirmation on this?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...