I am pulling together a small single server Splunk deployment. Because the deployment is on a small scale, I intend to have the couple of syslog endpoints connecting directly to the Splunk server (not via a separate syslog server with UF).
I would therefore like to configure a TCP/TLS syslog input on my Splunk Enterprise server. I have also just discovered that Splunk now supports TLS 1.3. Based on this I would like my deployment to only use TLS1.3 (not TLS1.2 or earlier).
From what I have read, I have to configure settings in server.conf as follows:
[tls1.3]
cipherSuite = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
groups = prime256v1, secp384r1, secp521r1
What I am trying to figure out though is how to configure the inputs.conf file.
I'm thinking that I would need to configure inputs.conf as follows:
[tcp-ssl://6514]
Connection_host = ip
index = network
sourcetype = syslog
disabled = false
[SSL]
SslPassword = <password>
serverCert = /opt/splunk/etc/auth/splunkweb_combined.cer
sslVersions = tls1.3
Does the above look correct?
I'm assuming that:
Thanks in advance for any thoughts.
Hello@mike_k ,
Let me first make few corrections in the config you pasted and give you corrected configuration here first, and then I'll answer about your assumptions.
[sslConfig]
sslVersions = tls1.3
cipherSuite = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
ecdhCurves = prime256v1, secp384r1, secp521r1
inputs.conf
[tcp-ssl://6514]
connection_host = ip
index = network
sourcetype = syslog
disabled = false
[SSL]
serverCert = /opt/splunk/etc/auth/splunkweb_combined.cer
sslPassword = <password>
sslVersions = tls1.3
requireClientCert = false
as you can see in above, you had few stanza and parameter name incorrect, which I fixed. So you can use this. But please always check the spec documentation just to be correct about stanza names, and parameter names
Now regarding your assumptions:
I hope this helps!!!! Kindly upvote if it does!!
Hello@mike_k ,
Let me first make few corrections in the config you pasted and give you corrected configuration here first, and then I'll answer about your assumptions.
[sslConfig]
sslVersions = tls1.3
cipherSuite = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
ecdhCurves = prime256v1, secp384r1, secp521r1
inputs.conf
[tcp-ssl://6514]
connection_host = ip
index = network
sourcetype = syslog
disabled = false
[SSL]
serverCert = /opt/splunk/etc/auth/splunkweb_combined.cer
sslPassword = <password>
sslVersions = tls1.3
requireClientCert = false
as you can see in above, you had few stanza and parameter name incorrect, which I fixed. So you can use this. But please always check the spec documentation just to be correct about stanza names, and parameter names
Now regarding your assumptions:
I hope this helps!!!! Kindly upvote if it does!!
Hi,
Just looking over your response again and I had a query.
In your response below, you have listed TLS1.3 ciphers in [sslConfig] stanza. Should the [sslConfig] stanza only have TLS1.2 ciphers listed? with TLS1.3 ciphers going into the [tls1.3] stanza?
Thanks for your reply (and picking up my typo 🙂). Much appreciated.
thanks,
Mike