Wht are steps to replace expired SSL certificate i...

Gayatri · ‎07-11-2023

Hi,

we are using syslog-ng to collect logs at syslog server and where we have installed Universal forwarder component with version 8.2.8 to forward the logs to Cribl workers. Now, during VA scan we received report stating that SSL certificate expired/with wrong hostname.

So, we received renewed SSL certificate from the project and replaced it under cacert.pem which is located under /opt/splunkforwarder/etc/auth folder and I have restarted the service. Once done, we informed team to perform scan again. AGain its still pointing to old one and getting same vulnerability. So, we are not sure whether we need to update any other .pem files such as server.pem or ca.pem. Can you please help us here?

Regards,

Gayathri

PickleRick · ‎07-17-2023

The cacert.pem file you replaced is used for authenticating your peer to you, not you to your peer.

The vulnerability report you got should have stated explicitly where the offending certificate was in the first place (if it was found by scanning configuration) so you should have pretty god idea which file to replace.

Anyway, read a bit about how TLS and PKI in general work before you hurt yourself - there are two parties to TLS connection and depending on which end you want to authenticate, you use different set of certificates.

dural_yyz · ‎07-12-2023

Not a solution to your certificate issue.

If your version of Syslog-NG is recent enough I would consider switching to an HTTP Destination configuration. Use the server as a relay to convert syslog protocol to HEC and you can send direct to Indexers or other destinations of your choosing.

Gayatri · ‎07-12-2023

Hi @dural_yyz ,

Thank you for the suggestion. But in our current setup, there is no option to switch to HTTP destination configuration as we are in process of migration phase and these are about to decommission soon.

But, since we received vulnerability report on these UF's on those servers, we are in process of replacing SSL certificate. So, if could able to provide detailed steps on how to upload renewed certificate in universal forwarder which would be really help get rid of this issue

Gayatri · ‎07-12-2023

Hi,

CAn someone please look into my above listed query and share your response ASAP

Gayatri · ‎07-16-2023

Can someone please provide the steps to replace expired SSL certificate with renewed one in Splunk UF's version 8.2.8

shnmugam · ‎08-27-2023

Hi @Gayatri

I want you to check two things.

* Requesting you to validate if there are any other copy of the old expired CAcert is present in the same server, that maybe also one of a reason to have a hit even after replacing the expired cert

* Also, try deleting the server.pem (backup under different server for safety) and restart the Splunk service, which will generate new certificate.

Post the above action request for vulnerability re-scan that should help fixing the issue.

Gayatri · ‎09-21-2023

Thank you @shnmugam Will try the same

Wht are steps to replace expired SSL certificate in Splunk universal forwarder with version 8.2.8 in Linux OS?

splunk-assist

troubleshooting

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...