Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

TLS between splunk components

Nawab
Communicator
‎08-11-2024 01:19 AM

We have below deployement, UF ----> HF ----> IDX

Uf are sending data to Hf and Hf is acting as and Intermediatry forwarder between UF and IDX.

Now we want to do TLS b/w splunk components. can we do TLS between HF and IDX and leave UFs.

Will UF data will also be TLS complient?

If not will UF still sends data to IDXs or we will stop receiving logs all together?

Labels (1)
Labels
0 Karma
Reply

Nawab
Communicator
‎08-11-2024 02:24 AM

Thanks for your answer, let me do it and check if it works.

 

Also why are you doing ssl on inputs.conf as per docs it should be done on outsputs of HF

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎08-11-2024 03:46 AM
Here is conf presentation about using TLS with splunk https://conf.splunk.com/files/2023/slides/SEC1936B.pdf
0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎08-11-2024 02:16 AM

@Nawab- The answer is yes, you can setup SSL on both places and you can also set SSL only for HF to Indexer.

I think it should not matter what you use from UF to HF and HF to Indexer, they should act independent from each other.

 

Connection with SSL

 

inputs.conf
---------------
[splunktcp-ssl:9997]
serverCert = <string>
sslPassword = <string>
requireClientCert = <boolean>
sslVersions = <string>
cipherSuite = <cipher suite string>
ecdhCurves = <comma separated list of ec curves>
dhFile = <string>
allowSslRenegotiation = <boolean>
sslQuietShutdown = <boolean>
sslCommonNameToCheck = <commonName1>, <commonName2>, ...
sslAltNameToCheck = <alternateName1>, <alternateName2>, ...
useSSLCompression = <boolean>


outputs.conf
------------------
[tcpout]
defaultGroup = my_indexers

[tcpout:my_indexers]
server = <indexer>:9997
sslPassword = password
clientCert = $SPLUNK_HOME/etc/auth/server.pem
(<Check outputs.conf.spec for other SSL configs)

 

 

Connection without SSL

 

inputs.conf
---------------
[splunktcp:9997]


outputs.conf
------------------
[tcpout]
defaultGroup = my_indexers

[tcpout:my_indexers]
server = <indexer>:9997

 

 

I hope this helps!!!!

0 Karma
Reply
Get Updates on the Splunk Community!

Unlock Database Monitoring with Splunk Observability Cloud

  In today’s fast-paced digital landscape, even minor database slowdowns can disrupt user experiences and ...

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

At Cisco, purpose isn’t a tagline—it’s a commitment. Cisco’s FY25 Purpose Report outlines how the company is ...

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join us for a live Demo Day at the Cisco Store on January 21st 10:00am - 11:00am PST In the fast-paced world ...