Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

What is the most simple way to enable SSL communication between my forwarders and indexers?

jbsplunk
Splunk Employee
Splunk Employee
‎11-28-2012 11:26 AM

Does anyone know where I can find a working configuration that shows splunk2splunk using ssl? I would really appreciate a working example

Tags (2)
Reply

georgen_splunk
Splunk Employee
Splunk Employee
‎06-13-2018 11:41 AM

updated for Enterprise versions 7.1

Indexer: $SPLUNK_HOME/etc/system/local/inputs.conf

[default]
host = indexerA1.chubbybunny.com

[splunktcp-ssl:9997]
compressed = true

[SSL]
sslPassword = password
requireClientCert = false
sslRootCAPath = $SPLUNK_HOME/etc/auth/ca.pem
serverCert = $SPLUNK_HOME/etc/auth/server.pem

Forwarder: $SPLUNK_HOME/etc/system/local/outputs.conf

[tcpout]
defaultGroup = splunkssl

[tcpout:splunkssl]
compressed = true
server = indexerA1.chubbybunny.com:9997
clientCert = $SPLUNK_HOME/etc/auth/server.pem
sslPassword = password
sslRootCAPath = $SPLUNK_HOME/etc/auth/ca.pem
sslVerifyServerCert = false
0 Karma
Reply

sayash27
Explorer
‎07-16-2018 08:24 AM

here sslPassword is of ca.pem or server.pem? In case we have different password then which password we are going to use.

Reply

jworthington_sp
Splunk Employee
Splunk Employee
‎11-28-2012 11:45 AM

If you prefer to use your own certificates, you can also check out the following topic in the Securing Splunk guide:

http://docs.splunk.com/Documentation/Splunk/5.0.1/Security/ConfigureSplunkforwardingtousesignedcerti...

Reply

Chubbybunny
Splunk Employee
Splunk Employee
‎11-28-2012 11:38 AM

you got it.

Using the built-in certs on our UF's and indexers. We've managed to get SSL working for splunkTOsplunk communication using the following in/outputs.conf

Indexer: $splunk_home/etc/system/local/inputs.conf

[default]
host = indexerA1.chubbybunny.com

[splunktcp-ssl:9997]
compressed = true

[SSL]
password = password
requireClientCert = false
rootCA = $SPLUNK_HOME/etc/auth/ca.pem
serverCert = $SPLUNK_HOME/etc/auth/server.pem

Forwarder: $splunk_home/etc/system/local/outputs.conf

[tcpout]
defaultGroup = splunkssl

[tcpout:splunkssl]
compressed = true
server = indexerA1.chubbybunny.com:9997
sslCertPath = $SPLUNK_HOME/etc/auth/server.pem
sslPassword = password
sslRootCAPath = $SPLUNK_HOME/etc/auth/ca.pem
sslVerifyServerCert = false

*while this simply secures the communication channel between the two, using the default certs comes with a risk.
Also - the default password for both (server.pem & ca.pem) is: password

Reply
Get Updates on the Splunk Community!

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...