- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can the syslog outputs in outputs.conf use SSL/TLS?
Hi,
I'm wondering if the syslog outputs.conf feature described in the [syslog] stanza supports TLS encryption?
I see no mention of it in the docs about this.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't think it can. Also remember that there is no syslog output on Universal Forwarder.
Also - why you'd want to use syslog output? The use cases for it are so rare...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That's because the receiving end expects a syslog message.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK. Maybe the question was too broad. What is your use case? Do you have non-syslog sources which you want to be sent to some syslog receiver? Or maybe you receive syslog data into your splunk which you want to index and also route to some other solution?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The receiver is a syslog-ng and expect Syslog over TLS, this is mandatory. I understand you want to challenge this, but in my case it is not possible to change it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Actually I'm trying to see if your "incoming" part could be re-architected. But if you absolutely want to get your data to Splunk first, then export it on TLS-enabled syslog then good luck because that output doesn't seem to support that.
You could _try_ to set up a tcpout with sendCookedData=false but there is a huge caveat to that.
You can route your event to one tcpout group at a time. So in order to send your event to both - your splunk indexers and your external syslog - you'd have to bend over backwards to try to make it work with event cloning, routing and generally making a huge mess of your HF's internals.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes I know, so the simple feature "syslog" does not support TLS in splunk, that's a shame..
Thanks anyway !
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well cou can use a walkaround by installing a syslog server on your HF and sending unencrypted logs only on loopback device so that it doesn't traverse the network in plain form. In this syslog (either syslog-ng or rsyslog) server's configuration you'd configure TLS-enabled forwarding. That's how I'd approach it if I had such requirement.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @davietch
I think the best way to use tls for syslog sources, the best way is: use syslog ng or rsyslog and use uf tls to send data.
Please check the example here
https://www.splunk.com/en_us/blog/tips-and-tricks/using-syslog-ng-with-splunk.html
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This one's kinda old and the current recommended solution for receiving syslog events is SC4S but saving to files and ingesting them from disk will also work of course.
And yes, that's what I was getting to - if the events which @davietch wants to send away are syslog-originated it is probably easier, more efficient and more maintainable to simply use a syslog-dedicated solution than to do that in splunk itself.
