Splunk Enterprise
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Splunk Platform
- :
- Splunk Enterprise
- :
- Doubt about SSL encryption between multiple Splunk...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SplunkExplorer
Contributor
02-20-2025
01:11 AM
Hi Splunkers, I have some doubt about SSL use for S2S communication.
First, let us remark what is sure, with no doubts:
1. SSL provide a compression ratio better than default one: 1:8 vs 1:2.
2. SSL Compression does NOT affect license. In general, ALL Compression on Splunk does not affect license. This means that: if before compression data has dimension X + Y and, after it, X, consumed license will be X + Y, not X.
3. From a security perspective, if I have multiple Splunk components, the best way to configure flows should be encrypt all of them. For example if I have UF -> HF -> IDX, for security purpose the best is to encrypt both UF -> HF flow and HF -> IDX one.
Now, for a customer we have the following data flow:
Log sources -> Intermediate Forwarder -> Heavy forwarders -> Indexers
I know that when possible we should avoid HF and IF but, for different reason, we need them on this particular environment. Here, 2 doubt rise:
Suppose we apply SSL only between IF and HF.
1. Data arrive compressed on HF. When they leaves it and goes to IDXs, they are still compressed? So, for example suppose we have original data with a total dimension of 800 MB:
- Between IF and HF exist SSL, so in HF there is a tcp-ssl input on port 9997
- SSL compression is applied: now data have 100 MB dimension
- When they arrive to HF, they have 100 MB dimension
- When they leave the HF to go on IDXs, they still have 100 MB dimension?
Suppose now we apply SSL on entire S2S data flow: between IF and HF and between HF and IDXs. In addition to a better security posture, which other advantage we should achieve going in this direction?
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
livehybrid
Super Champion
02-20-2025
05:15 AM
There is a really good post (https://community.splunk.com/t5/Getting-Data-In/Forwarder-Output-Compression-Ratio-what-is-the-expec...) which has some stats on various compression rates which might help, but I think to answer your question - Its good practice to have end-to-end SSL encryption, and SSL Compression can also reduce your networking costs.
In terms of "if before compression data has dimension X + Y and, after it, X, consumed license will be X + Y, not X." - Im not really sure I understood this, but as you said, compression does not impact license. Therefore if you have 800mb of data at source, which is compressed to 100mb and sent to the destination indexers, then the amount of license you use is 800mb, regardless of if it arrives compressed. Licensing is based on raw ingestion size (unless you have workload based licensing!)
Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped.
Regards
Will
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
VatsalJagani
SplunkTrust
02-23-2025
09:04 AM
@SplunkExplorer- Just to be clear SSL offers compression but during the data transit only. So Let's say If you are sending SSL compressed data from UF to HF. As soon as HF receives the data it unencrypt & uncompress it.
Now if you apply the SSL compression again between HF to IDX then only HF will compress the data & forward it to IDX.
I hope this helps!!! Kindly upvote if it does!!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
livehybrid
Super Champion
02-20-2025
05:15 AM
There is a really good post (https://community.splunk.com/t5/Getting-Data-In/Forwarder-Output-Compression-Ratio-what-is-the-expec...) which has some stats on various compression rates which might help, but I think to answer your question - Its good practice to have end-to-end SSL encryption, and SSL Compression can also reduce your networking costs.
In terms of "if before compression data has dimension X + Y and, after it, X, consumed license will be X + Y, not X." - Im not really sure I understood this, but as you said, compression does not impact license. Therefore if you have 800mb of data at source, which is compressed to 100mb and sent to the destination indexers, then the amount of license you use is 800mb, regardless of if it arrives compressed. Licensing is based on raw ingestion size (unless you have workload based licensing!)
Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped.
Regards
Will
Get Updates on the Splunk Community!
Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...
This is the second post in our Splunk Observability Cloud’s AI Assistant in Action series, in which we look at ...
Elevate Your Organization with Splunk’s Next Platform Evolution
Thursday, July 10, 2025 | 11AM PDT / 2PM EDT
Whether you're managing complex deployments or looking to ...
Splunk Answers Content Calendar, June Edition
Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...
