Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Redundant forwarders and SSL

mundus
Path Finder
‎12-27-2011 03:36 PM

My understanding was that the best practice for creating redundancy for the forwarders is to create two forwarders and use DNS round robin load balancing to have clients load balance between the two or failover to the active one during an outage.

What's the best practice for protecting forwarding using SSL in the scenario above? If I create listeners on those intermediate forwarders, should I have each one use the same CN and cert? My understanding is that if I have two hosts defined in the outputs.conf, it sends one copy of each event to both servers, thus doubling my license consumption and requiring a dedup for all searches.

But if they do use the same cert and CN, which fields have to match in the config files? The inputs.conf and the server.conf file?

Thx.

Craig

Tags (1)
0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎12-27-2011 04:26 PM

I take it you're making the intermediate forwarders redundant, and that they receive SSL from a set of other forwarders. If you are doing this, you can either specify the redundant intermediates using DNS aliases (not round-robin load-balancing) or you can list each one separately in outputs.conf, not both (since if you use DNS, they will have the same name in outputs.conf).

Regardless of what you do, the rule for SSL (assuming you're validating the server name on the SSL cert, which nevertheless is not required to be configured that way in Splunk) is that the certificate name must match the name by which the client accesses the server. Therefore, if you use DNS aliases, both intermediate forwarders must have the DNS name (the DNS name). If you reference them separately, they must each have the respective name used in outputs.conf.

0 Karma
Reply

mundus
Path Finder
‎12-27-2011 04:40 PM

I'm not totally clear... If I use the first method, I have one entry for each intermediate forwarder in the outputs.conf file and each one would have a cert that matches that name.

Or I can use a single entry in outputs.conf and use DNS round-robin to send the traffic to the intermediate forwarders. Both intermediate forwarders would have to have identical hostnames and server names within Splunk config files that matches the CN on the cert?

Do I have that right?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...