Splunk Enterprise

Configuring Splunk Enterprise network input using TLS1.3

mike_k
Communicator

I am pulling together a small single server Splunk deployment. Because the deployment is on a small scale, I intend to have the couple of syslog endpoints connecting directly to the Splunk server (not via a separate syslog server with UF).

I would therefore like to configure  a TCP/TLS syslog input on my Splunk Enterprise server. I have also just discovered that Splunk now supports TLS 1.3. Based on this I would like my deployment to only use TLS1.3 (not TLS1.2 or earlier).

From what I have read, I have to configure settings in server.conf as follows:

[tls1.3] 
cipherSuite =
TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
groups = prime256v1, secp384r1, secp521r1

What I am trying to figure out though is how to configure the inputs.conf file.

I'm thinking that I would need to configure inputs.conf as follows:

[tcp-ssl://6514]
Connection_host = ip
index = network
sourcetype = syslog
disabled = false

[SSL]
SslPassword = <password>
serverCert = /opt/splunk/etc/auth/splunkweb_combined.cer
sslVersions = tls1.3

Does the above look correct? 

I'm assuming that:

  1.  The "cipherSuite" and "ecdhCurves" sections in the [SSL] stanza of inputs.conf would only apply to TLS1.2 and therefore wouldn't be required if using TLS 1.3. 
  2.  That I need the [tcp-ssl://port] stanza to be able to specify index/sourcetype etc settings for this traffic.

Thanks in advance for any thoughts.

Labels (2)
Tags (2)
0 Karma
1 Solution

VatsalJagani
SplunkTrust
SplunkTrust

Hello@mike_k ,

 

Let me first make few corrections in the config you pasted and give you corrected configuration here first, and then I'll answer about your assumptions.

 

[sslConfig]
sslVersions = tls1.3
cipherSuite = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
ecdhCurves = prime256v1, secp384r1, secp521r1

 

inputs.conf

[tcp-ssl://6514]
connection_host = ip
index = network
sourcetype = syslog
disabled = false

[SSL]
serverCert = /opt/splunk/etc/auth/splunkweb_combined.cer
sslPassword = <password>
sslVersions = tls1.3
requireClientCert = false

 

as you can see in above, you had few stanza and parameter name incorrect, which I fixed. So you can use this. But please always check the spec documentation just to be correct about stanza names, and parameter names

 

Now regarding your assumptions:

  •  cipherSuite and ecdhCurves in the [SSL] stanza of inputs.conf are TLS 1.2 concepts — in TLS 1.3, cipher suites are fixed by the protocol itself and not negotiable in the same way. You don't need to specify them in inputs.conf when restricting to TLS 1.3 only, and Splunk will use the TLS 1.3 ciphers you defined in server.conf. So leaving them out of the inputs.conf [SSL] stanza is correct.
  • The [tcp-ssl://6514] stanza is where you attach metadata like index, sourcetype, and connection_host to the input. The [SSL] stanza only handles the cryptographic configuration — it has no awareness of index routing or sourcetype. Both stanzas are needed and they work together, which is exactly what you have.

 

I hope this helps!!!! Kindly upvote if it does!!

View solution in original post

VatsalJagani
SplunkTrust
SplunkTrust

Hello@mike_k ,

 

Let me first make few corrections in the config you pasted and give you corrected configuration here first, and then I'll answer about your assumptions.

 

[sslConfig]
sslVersions = tls1.3
cipherSuite = TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256
ecdhCurves = prime256v1, secp384r1, secp521r1

 

inputs.conf

[tcp-ssl://6514]
connection_host = ip
index = network
sourcetype = syslog
disabled = false

[SSL]
serverCert = /opt/splunk/etc/auth/splunkweb_combined.cer
sslPassword = <password>
sslVersions = tls1.3
requireClientCert = false

 

as you can see in above, you had few stanza and parameter name incorrect, which I fixed. So you can use this. But please always check the spec documentation just to be correct about stanza names, and parameter names

 

Now regarding your assumptions:

  •  cipherSuite and ecdhCurves in the [SSL] stanza of inputs.conf are TLS 1.2 concepts — in TLS 1.3, cipher suites are fixed by the protocol itself and not negotiable in the same way. You don't need to specify them in inputs.conf when restricting to TLS 1.3 only, and Splunk will use the TLS 1.3 ciphers you defined in server.conf. So leaving them out of the inputs.conf [SSL] stanza is correct.
  • The [tcp-ssl://6514] stanza is where you attach metadata like index, sourcetype, and connection_host to the input. The [SSL] stanza only handles the cryptographic configuration — it has no awareness of index routing or sourcetype. Both stanzas are needed and they work together, which is exactly what you have.

 

I hope this helps!!!! Kindly upvote if it does!!

mike_k
Communicator

Hi,

Just looking over your response again and I had a query.

In your response below, you have listed TLS1.3 ciphers in [sslConfig] stanza. Should the [sslConfig] stanza only have TLS1.2 ciphers listed? with TLS1.3 ciphers going into the [tls1.3] stanza?

 (URL reference) 

0 Karma

VatsalJagani
SplunkTrust
SplunkTrust
No tls1.2 anymore, we are specifying sslVersions = tls1.3.
And again there is no stanza called [tls1.3]
0 Karma

mike_k
Communicator

Thanks for your reply (and picking up my typo 🙂). Much appreciated.

 

thanks,

Mike

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

From Data to Insight: Announcing the Winners of the Splunk Dashboard Contest

Hi Splunkers, First off, thank you to everyone who participated in our very first From Data to Insight: The ...

Splunk Developers: Construct Your Future at the .conf26 Builder Bar

Calling all Splunk architects, platform admins, and app developers: the site is open, and the blueprints are ...

Quick connection discovery mode for forwarders

When a Splunk forwarder loses connectivity to its indexers, it does not always reconnect immediately. In many ...