Splunk Enterprise

Wht are steps to replace expired SSL certificate in Splunk universal forwarder with version 8.2.8 in Linux OS?

Gayatri
Explorer

Hi,

we are using syslog-ng to collect logs at syslog server and where we have installed Universal forwarder component with version 8.2.8 to forward the logs to Cribl workers. Now, during VA scan we received report stating that SSL certificate expired/with wrong hostname. 

So, we received renewed SSL certificate from the project and replaced it under cacert.pem which is located under /opt/splunkforwarder/etc/auth folder and I have restarted the service. Once done, we informed team to perform scan again. AGain its still pointing to old one and getting same vulnerability. So, we are not sure whether we need to update any other .pem files such as server.pem or ca.pem. Can you please help us here?

 

Regards,

Gayathri

Labels (2)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

The cacert.pem file you replaced is used for authenticating your peer to you, not you to your peer.

The vulnerability report you got should have stated explicitly where the offending certificate was in the first place (if it was found by scanning configuration) so you should have pretty god idea which file to replace.

Anyway, read a bit about how TLS and PKI in general work before you hurt yourself - there are two parties to TLS connection and depending on which end you want to authenticate, you use different set of certificates.

0 Karma

dural_yyz
Builder

Not a solution to your certificate issue.

 

If your version of Syslog-NG is recent enough I would consider switching to an HTTP Destination configuration.  Use the server as a relay to convert syslog protocol to HEC and you can send direct to Indexers or other destinations of your choosing.

Tags (1)
0 Karma

Gayatri
Explorer

Hi @dural_yyz ,

 

Thank you for the suggestion. But in our current setup, there is no option to switch to HTTP destination configuration as we are in process of migration phase and these are about to decommission soon. 

But, since we received vulnerability report on these UF's on those servers, we are in process of replacing SSL certificate. So, if could able to provide detailed steps on how to upload renewed certificate in universal forwarder which would be really help get rid of this issue

0 Karma

Gayatri
Explorer

Hi,

 

CAn someone please  look into my above listed query and share your response ASAP

0 Karma

Gayatri
Explorer

Can someone please provide the steps to replace expired SSL certificate with renewed one in Splunk UF's version 8.2.8

0 Karma

shnmugam
New Member

Hi @Gayatri 

I want you to check two things.

* Requesting you to validate if there are any other copy of the old expired CAcert is present in the same server, that maybe also one of a reason to have a hit even after replacing the expired cert

* Also, try deleting the server.pem (backup under different server for safety) and restart the Splunk service, which will generate new certificate.

Post the above action request for vulnerability re-scan that should help fixing the issue.

0 Karma

Gayatri
Explorer

Thank you @shnmugam  Will try the same

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...