I am working on getting Splunk secured with certificates. We have a requirement to ensure the integrity of our audit logs as they are transported to Splunk. This would mean that I need to use SSL/TLS between the Forwarders and the Indexers.
When I read the SSL documentation, it wants a cert file and a password in the config settings for each forwarder. This might work for a few forwarders, but we are planning on doing 1,000+ Windows clients, so this would become a management issue. I know I can force the clients to request certificates from our Enterprise CA through GPOs without much problem.
Is there a way to tell the Universal Forwarders to use the machine/host certificates without having to manually set the certificate settings or even using one certificate for all the UFs?
It would be very nice if splunk could use the machine certificate in the store.
I voted for it here: https://ideas.splunk.com/ideas/EID-I-611
Hi. We seem to have the same problem. I've tried looking up in the docs and google, but nothing. Did you ever find a solution to this?
Yeah.. basically we made a forwarder certificate that we push out with a deployment app with a password in the clear.
This conf presentation was what we based our final solution from.
Hi,
The way to configure the SSL configuration is using the indexer certs. So you only need to deploy the certs of all of your indexer to all of your forwarder.
You have to configure inputs.conf in the indexer and outputs.conf in the forwarders.
Check out this link
https://wiki.splunk.com/Community:Splunk2Splunk_SSL_3rdPartyCA
Hope i help you
Why are we using the Indexer certificate on the forwarders? Doing this raises a few issues for me:
Is the local Microsoft Certificate Store not an option?