Getting Data In

How to get tcp-ssl input for Splunk 6.0 to work

ricktao
Explorer

I have installed Splunk 6.0 (Free version) on Linux x64 system.
I can collect syslog inputs on UDP port 514. But I tried to add "tcp-ssl", it didn't work.
Here are my contents in /opt/splunk/etc/apps/launcher/local/inputs.conf file:

[udp://514]
connection_host = ip
source = SyslogTest
sourcetype = syslog

[tcp-ssl:10514]
source = SyslogSslTest
sourcetype = syslog
disabled = 0

[SSL]
serverCert = /root/splunk/cert.pem
rootCA = /root/splunk/ca.pem
password = $1$jC3aVtsP5w==

I did "/opt/splunk/bin/splunk btool check --debug", I didn't see anything wrong.
I did "/opt/splunk/bin/splunk start" to run "OK". Even the web interface shown tcp inputs.
But if I did "netstat -a | grep 514", I didn't see any my SSL port 10514 open.

Please advice any tips to run "syslog over ssl/tls" or debug the problem. Thanks!

Tags (2)

TonyLeeVT
Builder

Here is how to do this in Windows:

NOTE: sslRootCAPath is ignored in Windows. Instead use: caCertFile (Thank you Splunk support....)

Create the certs:

mkdir c:\progra~1\Splunk\etc\certs
C:\progra~1\Splunk\bin\splunk.exe cmd cmd.exe /c c:\progra~1\Splunk\bin\genRootCA.bat -d c:\progra~1\Splunk\etc\certs
C:\progra~1\Splunk\bin\splunk.exe cmd python c:\progra~1\Splunk\bin\genSignedServerCert.py -d c:\progra~1\Splunk\etc\certs -n splunk -c splunk -p

Add the following to: c:\Program Files\Splunk\etc\system\local\server.conf

[sslConfig]
caCertFile = c:\progra~1\Splunk\etc\certs\cacert.pem

Add the following to: c:\Program Files\Splunk\etc\apps\your_app_here\local\inputs.conf

[tcp-ssl://6514]
disabled = false
sourcetype = <optional>
index = <optional>
source = <optional>

[SSL]
sslPassword = <The password that was used in the genSignedServerCert>
requireClientCert = false
serverCert = c:\progra~1\Splunk\etc\certs\splunk.pem

Restart Splunk:
c:\progra~1\Splunk\bin\splunk.exe restart

Now verify the port is open using:

netstat -an | findstr :6514

aornitops
New Member

This worked flawlessly for me in 7.3.1! Thanks for posting. I did see this while going through the process:

C:\Windows\system32>C:\progra~1\Splunk\bin\splunk.exe cmd python c:\progra~1\Splunk\bin\genSignedServerCert.py -d c:\progra~1\Splunk\etc\certs -n splunk -c splunk -p
**NOTE: This script is deprecated.  Instead, use "splunk createssl server-cert"**

Does anyone know if the commands are the same for "splunk createssl server-cert"?

0 Karma

TonyLeeVT
Builder

After checking splunkd.log and a little troubleshooting, I was able to get the tcp-ssl port to listen and receive ssl encrypted traffic from a third party device. I used the following steps:

Generate certs:

mkdir /opt/splunk/etc/certs
export OPENSSL_CONF=/opt/splunk/openssl/openssl.cnf
/opt/splunk/bin/genRootCA.sh -d /opt/splunk/etc/certs

/opt/splunk/bin/genSignedServerCert.sh -d /opt/splunk/etc/certs -n splunk -c splunk -p

**Note: It will ask you to enter a password

In inputs.conf, I used the following:

[tcp-ssl://6514]
Sourcetype = <your source type here>

[SSL]
rootCA = $SPLUNK_HOME/etc/certs/cacert.pem
serverCERT = $SPLUNK_HOME/etc/certs/splunk.pem
password = <The password that was used in the genSignedServerCert>

You may want to use netstat -an | grep :6514 to make sure the port is listening after a restart. If not, check /opt/splunk/var/log/splunkd/splunkd.log again for errors. Hope that helps!

TonyLeeVT
Builder

Wow... what should be a simple feat is really a moving target. It appears the process has been changed again in Splunk 6.5.0+

Here is what you need to do now:

Generate certs:

 mkdir /opt/splunk/etc/certs
 export OPENSSL_CONF=/opt/splunk/openssl/openssl.cnf
 /opt/splunk/bin/genRootCA.sh -d /opt/splunk/etc/certs

 /opt/splunk/bin/genSignedServerCert.sh -d /opt/splunk/etc/certs -n splunk -c splunk -p

$SPLUNK_HOME/etc/apps//local/inputs.conf:

[tcp-ssl://6514]
disabled = false
sourcetype = <optional>
index = <optional>
source = <optional>

[SSL]
serverCert = /opt/splunk/etc/certs/splunk.pem
sslPassword = <The password that was used in the genSignedServerCert>
requireClientCert = false

$SPLUNK_HOME/etc/system/local/server.conf:

[sslConfig]
sslRootCAPath = /opt/splunk/etc/certs/cacert.pem

Restart Splunk:

$SPLUNK_HOME/bin/splunk restart splunkd

Verify the port is open:

netstat -an | grep :6514
0 Karma

TonyLeeVT
Builder

Note: Splunk seems to have deprecated the password parameter. It is now: sslPassword.

Also note: You may need to replace $SPLUNK_HOME with /opt/splunk or whatever your path may be...

Pro-tips:
- Check the port status with netstat -an | grep :6514 (following our above example)
- You may also want to use this command for troubleshooting: /opt/splunk/bin/splunk btool check --debug
- If you are still having issues with the port opening, try to retype the sslPassword and save the file. If you mistype the password, this will not work.

0 Karma

ricktao
Explorer

Now I finally found the answer in the following website:

Use the Splunk provided tools to generate CA, and Server Certificates.

AND you have use $SPLUNK_HOME instead of /opt/splunk/..

http://answers.splunk.com/answers/7164/how-do-i-set-up-ssl-forwarding-with-new-self-signed-certifica...

0 Karma

Simeon
Splunk Employee
Splunk Employee

Something probably didn't get picked up if the netstat didn't produce anything. I would try enabling the same stanza with standard TCP to ensure functionality, then convert it to SSL. Here is a thread on the topic also in answers:

http://answers.splunk.com/answers/51707/how-to-configure-my-splunk-app-to-get-data-over-ssl

http://answers.splunk.com/answers/48955/tlsssl-syslog-splunk-support

0 Karma

ricktao
Explorer

I followed the following URL to create the cert, not sure where it get wrong:

http://docs.splunk.com/Documentation/Splunk/5.0/Security/Howtoself-signcertificates

0 Karma

ricktao
Explorer

SSL still not work, but found ERRORs in /opt/splunk/var/log/splunk/splunkd.log

splunkd.log: ERROR SSLCommon - Can't read CA list
splunkd.log: ERROR TcpInputConfig - SSL server certificate not found, or password is wrong - SSL ports will not be opened
splunkd.log: ERROR TcpInputConfig - SSL context not found. Will not open raw (SSL) IPv4 port 6514

It seems that I used the plaintext like "abc123" for password, and changed to like "$1$jC3aVtsP5w==" after startup
Maybe that's the cause of the TCP-SSL problem.

[SSL]
serverCert = /root/cert.pem
rootCA = /root/ca.pem
password = $1$jC3aVtsP5w==

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...