Splunk Enterprise

Doubt about SSL encryption between multiple Splunk Component

SplunkExplorer
Contributor

Hi Splunkers, I have some doubt about SSL use for S2S communication.

First, let us remark what is sure, with no doubts:

1. SSL provide a compression ratio better than default one: 1:8 vs 1:2.
2. SSL Compression does NOT affect license. In general, ALL Compression on Splunk does not affect license. This means that: if before compression data has dimension X + Y and, after it, X, consumed license will be X + Y, not X.
3. From a security perspective, if I have multiple Splunk components, the best way to configure flows should be encrypt all of them. For example if I have UF -> HF -> IDX, for security purpose the best is to encrypt both UF -> HF flow and HF -> IDX one.

Now, for a customer we have the following data flow:

Log sources -> Intermediate Forwarder -> Heavy forwarders -> Indexers

I know that when possible we should avoid HF and IF but, for different reason, we need them on this particular environment. Here, 2 doubt rise:

Suppose we apply SSL only between IF and HF.
1. Data arrive compressed on HF. When they leaves it and goes to IDXs, they are still compressed? So, for example suppose we have original data with a total dimension of 800 MB:

  • Between IF and HF exist SSL, so in HF there is a tcp-ssl input on port 9997
  • SSL compression is applied: now data have 100 MB dimension
  • When they arrive to HF, they have 100 MB dimension
  • When they leave the HF to go on IDXs, they still have 100 MB dimension?

Suppose now we apply SSL on entire S2S data flow: between IF and HF and between HF and IDXs. In addition to a better security posture, which other advantage we should achieve going in this direction?

 

 

Labels (2)
0 Karma
1 Solution

livehybrid
Super Champion

Hi @SplunkExplorer 

There is a really good post (https://community.splunk.com/t5/Getting-Data-In/Forwarder-Output-Compression-Ratio-what-is-the-expec...) which has some stats on various compression rates which might help, but I think to answer your question - Its good practice to have end-to-end SSL encryption, and SSL Compression can also reduce your networking costs.

In terms of "if before compression data has dimension X + Y and, after it, X, consumed license will be X + Y, not X." - Im not really sure I understood this, but as you said, compression does not impact license. Therefore if you have 800mb of data at source, which is compressed to 100mb and sent to the destination indexers, then the amount of license you use is 800mb, regardless of if it arrives compressed. Licensing is based on raw ingestion size (unless you have workload based licensing!)

Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped.
Regards

Will

View solution in original post

VatsalJagani
SplunkTrust
SplunkTrust

@SplunkExplorer- Just to be clear SSL offers compression but during the data transit only. So Let's say If you are sending SSL compressed data from UF to HF. As soon as HF receives the data it unencrypt & uncompress it.

Now if you apply the SSL compression again between HF to IDX then only HF will compress the data & forward it to IDX.

 

I hope this helps!!! Kindly upvote if it does!!!

livehybrid
Super Champion

Hi @SplunkExplorer 

There is a really good post (https://community.splunk.com/t5/Getting-Data-In/Forwarder-Output-Compression-Ratio-what-is-the-expec...) which has some stats on various compression rates which might help, but I think to answer your question - Its good practice to have end-to-end SSL encryption, and SSL Compression can also reduce your networking costs.

In terms of "if before compression data has dimension X + Y and, after it, X, consumed license will be X + Y, not X." - Im not really sure I understood this, but as you said, compression does not impact license. Therefore if you have 800mb of data at source, which is compressed to 100mb and sent to the destination indexers, then the amount of license you use is 800mb, regardless of if it arrives compressed. Licensing is based on raw ingestion size (unless you have workload based licensing!)

Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped.
Regards

Will

Get Updates on the Splunk Community!

Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...

This is the second post in our Splunk Observability Cloud’s AI Assistant in Action series, in which we look at ...

Elevate Your Organization with Splunk’s Next Platform Evolution

 Thursday, July 10, 2025  |  11AM PDT / 2PM EDT Whether you're managing complex deployments or looking to ...

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...