# Documentation was not very clear, below is working # Do not make changes to system.conf, as it broke a lot of things. Trust in your backup. # Create cert with encrypted key. /opt/splunk/etc/auth/dod/system-splunk-smn.pem -----BEGIN CERTIFICATE----- <snip> -----END CERTIFICATE----- -----BEGIN ENCRYPTED PRIVATE KEY----- <snip> -----END ENCRYPTED PRIVATE KEY----- # Verify, it will prompt for password. openssl s_client -connect <IP>:<PORT> -showcerts \ -cert /opt/splunk/etc/auth/dod/system-splunk-smn.pem \ -CAfile /opt/splunk/etc/auth/dod/system-dod.cacert # set _TCP_ROUTING=monitoring_audit vi /opt/splunk/etc/apps/search/local/inputs.conf [monitor:///var/log/audit/audit.log] disabled = false index = index sourcetype = linux_audit host = loghost _TCP_ROUTING=monitoring_audit ############# # Confiugre output for <IP>:<PORT> ##### vi /opt/splunk/etc/system/local/outputs.conf [tcpout] indexAndForward = true defaultGroup = monitoring_audit [tcpout:monitoring_audit] server = <IP>:<PORT> disabled = 0 sslRootCAPath = /opt/splunk/etc/auth/dod/system-dod.cacert sslPassword = <snip> clientCert = /opt/splunk/etc/auth/dod/system-splunk-smn.pem useClientSSLCompression = true sendCookedData = false sslVerifyServerCert = false sslVersions = tls1.2 ## Test config. /opt/splunk/bin/splunk cmd btool outputs list tcpout /opt/splunk/bin/splunk btool outputs list --debug /opt/splunk/bin/splunk btool check --debug # Fix any issues systemctl restart splunk ## Note the sslPassword was setup with plain text, it got encrypted on restart tcpdump host <IP> -i bond0 tcpdump -vv port <PORT> and "host <IP>" -i bond0 # Verified connection: Queue sometimes grows, the clears. netstat -natp | grep <PORT> Verified audit data being indexed into splunk
... View more