I am pulling together a small single server Splunk deployment. Because the deployment is on a small scale, I intend to have the couple of syslog endpoints connecting directly to the Splunk server (not via a separate syslog server with UF).
I would therefore like to configure a TCP/TLS syslog input on my Splunk Enterprise server. I have also just discovered that Splunk now supports TLS 1.3. Based on this I would like my deployment to only use TLS1.3 (not TLS1.2 or earlier).
From what I have read, I have to configure settings in server.conf as follows:
[tls1.3]
cipherSuite = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
groups = prime256v1, secp384r1, secp521r1
What I am trying to figure out though is how to configure the inputs.conf file.
I'm thinking that I would need to configure inputs.conf as follows:
[tcp-ssl://6514]
Connection_host = ip
index = network
sourcetype = syslog
disabled = false
[SSL]
SslPassword = <password>
serverCert = /opt/splunk/etc/auth/splunkweb_combined.cer
sslVersions = tls1.3
Does the above look correct?
I'm assuming that:
- The "cipherSuite" and "ecdhCurves" sections in the [SSL] stanza of inputs.conf would only apply to TLS1.2 and therefore wouldn't be required if using TLS 1.3.
- That I need the [tcp-ssl://port] stanza to be able to specify index/sourcetype etc settings for this traffic.
Thanks in advance for any thoughts.
