Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

TLS between splunk components

Nawab
Path Finder
‎08-11-2024 01:19 AM

We have below deployement, UF ----> HF ----> IDX

Uf are sending data to Hf and Hf is acting as and Intermediatry forwarder between UF and IDX.

Now we want to do TLS b/w splunk components. can we do TLS between HF and IDX and leave UFs.

Will UF data will also be TLS complient?

If not will UF still sends data to IDXs or we will stop receiving logs all together?

Labels (1)
Labels
0 Karma
Reply

Nawab
Path Finder
‎08-11-2024 02:24 AM

Thanks for your answer, let me do it and check if it works.

 

Also why are you doing ssl on inputs.conf as per docs it should be done on outsputs of HF

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎08-11-2024 03:46 AM
Here is conf presentation about using TLS with splunk https://conf.splunk.com/files/2023/slides/SEC1936B.pdf
0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎08-11-2024 02:16 AM

@Nawab- The answer is yes, you can setup SSL on both places and you can also set SSL only for HF to Indexer.

I think it should not matter what you use from UF to HF and HF to Indexer, they should act independent from each other.

 

Connection with SSL

 

inputs.conf
---------------
[splunktcp-ssl:9997]
serverCert = <string>
sslPassword = <string>
requireClientCert = <boolean>
sslVersions = <string>
cipherSuite = <cipher suite string>
ecdhCurves = <comma separated list of ec curves>
dhFile = <string>
allowSslRenegotiation = <boolean>
sslQuietShutdown = <boolean>
sslCommonNameToCheck = <commonName1>, <commonName2>, ...
sslAltNameToCheck = <alternateName1>, <alternateName2>, ...
useSSLCompression = <boolean>


outputs.conf
------------------
[tcpout]
defaultGroup = my_indexers

[tcpout:my_indexers]
server = <indexer>:9997
sslPassword = password
clientCert = $SPLUNK_HOME/etc/auth/server.pem
(<Check outputs.conf.spec for other SSL configs)

 

 

Connection without SSL

 

inputs.conf
---------------
[splunktcp:9997]


outputs.conf
------------------
[tcpout]
defaultGroup = my_indexers

[tcpout:my_indexers]
server = <indexer>:9997

 

 

I hope this helps!!!!

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In January, the Splunk Threat Research Team had one release of new security content via the Splunk ES Content ...

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

This month’s releases across the Splunk Observability portfolio deliver earlier detection and faster ...