Splunk Enterprise
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Doubt about SSL encryption between multiple Splunk Component

SplunkExplorer
Contributor
‎02-20-2025 01:11 AM

Hi Splunkers, I have some doubt about SSL use for S2S communication.

First, let us remark what is sure, with no doubts:

1. SSL provide a compression ratio better than default one: 1:8 vs 1:2.
2. SSL Compression does NOT affect license. In general, ALL Compression on Splunk does not affect license. This means that: if before compression data has dimension X + Y and, after it, X, consumed license will be X + Y, not X.
3. From a security perspective, if I have multiple Splunk components, the best way to configure flows should be encrypt all of them. For example if I have UF -> HF -> IDX, for security purpose the best is to encrypt both UF -> HF flow and HF -> IDX one.

Now, for a customer we have the following data flow:

Log sources -> Intermediate Forwarder -> Heavy forwarders -> Indexers

I know that when possible we should avoid HF and IF but, for different reason, we need them on this particular environment. Here, 2 doubt rise:

Suppose we apply SSL only between IF and HF.
1. Data arrive compressed on HF. When they leaves it and goes to IDXs, they are still compressed? So, for example suppose we have original data with a total dimension of 800 MB:

  • Between IF and HF exist SSL, so in HF there is a tcp-ssl input on port 9997
  • SSL compression is applied: now data have 100 MB dimension
  • When they arrive to HF, they have 100 MB dimension
  • When they leave the HF to go on IDXs, they still have 100 MB dimension?

Suppose now we apply SSL on entire S2S data flow: between IF and HF and between HF and IDXs. In addition to a better security posture, which other advantage we should achieve going in this direction?

 

 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

livehybrid
Champion
‎02-20-2025 05:15 AM

Hi @SplunkExplorer 

There is a really good post (https://community.splunk.com/t5/Getting-Data-In/Forwarder-Output-Compression-Ratio-what-is-the-expec...) which has some stats on various compression rates which might help, but I think to answer your question - Its good practice to have end-to-end SSL encryption, and SSL Compression can also reduce your networking costs.

In terms of "if before compression data has dimension X + Y and, after it, X, consumed license will be X + Y, not X." - Im not really sure I understood this, but as you said, compression does not impact license. Therefore if you have 800mb of data at source, which is compressed to 100mb and sent to the destination indexers, then the amount of license you use is 800mb, regardless of if it arrives compressed. Licensing is based on raw ingestion size (unless you have workload based licensing!)

Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped.
Regards

Will

View solution in original post

Reply
Solved! Jump to solution

VatsalJagani
SplunkTrust
SplunkTrust
‎02-23-2025 09:04 AM

@SplunkExplorer- Just to be clear SSL offers compression but during the data transit only. So Let's say If you are sending SSL compressed data from UF to HF. As soon as HF receives the data it unencrypt & uncompress it.

Now if you apply the SSL compression again between HF to IDX then only HF will compress the data & forward it to IDX.

 

I hope this helps!!! Kindly upvote if it does!!!

Reply
Solved! Jump to solution
Solution

livehybrid
Champion
‎02-20-2025 05:15 AM

Hi @SplunkExplorer 

There is a really good post (https://community.splunk.com/t5/Getting-Data-In/Forwarder-Output-Compression-Ratio-what-is-the-expec...) which has some stats on various compression rates which might help, but I think to answer your question - Its good practice to have end-to-end SSL encryption, and SSL Compression can also reduce your networking costs.

In terms of "if before compression data has dimension X + Y and, after it, X, consumed license will be X + Y, not X." - Im not really sure I understood this, but as you said, compression does not impact license. Therefore if you have 800mb of data at source, which is compressed to 100mb and sent to the destination indexers, then the amount of license you use is 800mb, regardless of if it arrives compressed. Licensing is based on raw ingestion size (unless you have workload based licensing!)

Please let me know how you get on and consider accepting this answer or adding karma this answer if it has helped.
Regards

Will

Reply
Get Updates on the Splunk Community!

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...

AppDynamics is now part of Splunk Ideas

Hello Splunkers, We have exciting news for you! AppDynamics has been added to the Splunk Ideas Portal. Which ...

Advanced Splunk Data Management Strategies

Join us on Wednesday, May 14, 2025, at 11 AM PDT / 2 PM EDT for an exclusive Tech Talk that delves into ...
li.common.scroll-to.top