Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Doubt about SSL encryption between multiple Splunk Component

SplunkExplorer
Contributor
‎02-20-2025 01:11 AM

Hi Splunkers, I have some doubt about SSL use for S2S communication.

First, let us remark what is sure, with no doubts:

1. SSL provide a compression ratio better than default one: 1:8 vs 1:2.
2. SSL Compression does NOT affect license. In general, ALL Compression on Splunk does not affect license. This means that: if before compression data has dimension X + Y and, after it, X, consumed license will be X + Y, not X.
3. From a security perspective, if I have multiple Splunk components, the best way to configure flows should be encrypt all of them. For example if I have UF -> HF -> IDX, for security purpose the best is to encrypt both UF -> HF flow and HF -> IDX one.

Now, for a customer we have the following data flow:

Log sources -> Intermediate Forwarder -> Heavy forwarders -> Indexers

I know that when possible we should avoid HF and IF but, for different reason, we need them on this particular environment. Here, 2 doubt rise:

Suppose we apply SSL only between IF and HF.
1. Data arrive compressed on HF. When they leaves it and goes to IDXs, they are still compressed? So, for example suppose we have original data with a total dimension of 800 MB:

  • Between IF and HF exist SSL, so in HF there is a tcp-ssl input on port 9997
  • SSL compression is applied: now data have 100 MB dimension
  • When they arrive to HF, they have 100 MB dimension
  • When they leave the HF to go on IDXs, they still have 100 MB dimension?

Suppose now we apply SSL on entire S2S data flow: between IF and HF and between HF and IDXs. In addition to a better security posture, which other advantage we should achieve going in this direction?

 

 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

livehybrid
Super Champion
‎02-20-2025 05:15 AM

Hi @SplunkExplorer 

There is a really good post (https://community.splunk.com/t5/Getting-Data-In/Forwarder-Output-Compression-Ratio-what-is-the-expec...) which has some stats on various compression rates which might help, but I think to answer your question - Its good practice to have end-to-end SSL encryption, and SSL Compression can also reduce your networking costs.

In terms of "if before compression data has dimension X + Y and, after it, X, consumed license will be X + Y, not X." - Im not really sure I understood this, but as you said, compression does not impact license. Therefore if you have 800mb of data at source, which is compressed to 100mb and sent to the destination indexers, then the amount of license you use is 800mb, regardless of if it arrives compressed. Licensing is based on raw ingestion size (unless you have workload based licensing!)

Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped.
Regards

Will

View solution in original post

Reply
Solved! Jump to solution

VatsalJagani
SplunkTrust
SplunkTrust
‎02-23-2025 09:04 AM

@SplunkExplorer- Just to be clear SSL offers compression but during the data transit only. So Let's say If you are sending SSL compressed data from UF to HF. As soon as HF receives the data it unencrypt & uncompress it.

Now if you apply the SSL compression again between HF to IDX then only HF will compress the data & forward it to IDX.

 

I hope this helps!!! Kindly upvote if it does!!!

Reply
Solved! Jump to solution
Solution

livehybrid
Super Champion
‎02-20-2025 05:15 AM

Hi @SplunkExplorer 

There is a really good post (https://community.splunk.com/t5/Getting-Data-In/Forwarder-Output-Compression-Ratio-what-is-the-expec...) which has some stats on various compression rates which might help, but I think to answer your question - Its good practice to have end-to-end SSL encryption, and SSL Compression can also reduce your networking costs.

In terms of "if before compression data has dimension X + Y and, after it, X, consumed license will be X + Y, not X." - Im not really sure I understood this, but as you said, compression does not impact license. Therefore if you have 800mb of data at source, which is compressed to 100mb and sent to the destination indexers, then the amount of license you use is 800mb, regardless of if it arrives compressed. Licensing is based on raw ingestion size (unless you have workload based licensing!)

Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped.
Regards

Will

Reply
Get Updates on the Splunk Community!

Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1

Today’s threat landscape is more complex than ever. Security operation centers (SOCs) are overwhelmed with ...

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...
Top