Monitoring Splunk

SSL Letsencrypt for Splunk on Ubuntu

JosIJntema
Explorer

Hi there,

I have started my own Ubuntu 16.04 server and installed Splunk. This goes smoothly.

Also I have added a domain to the server and setup Let's Encrypt.

In the docs I find things about Splunk Web and SSL, but I cannot get this to work for my Splunk. For one, is that I do not have a web.conf.

How should I secure my Splunk environment? What is needed to do this the best way?

I will mainly user the HTTP Event Collector.

I am quite new to this, so any suggestions and help would be great.

Thanks.

Jos

Tags (1)
0 Karma

JosIJntema
Explorer

Hi mmdoestino,

Thanks for your response.

First the web.conf was not available. When I tried to set SSL in the General Settings tab, it created the web.conf. Then I followed the tutorial and now it works.

However, I do not get the HEC to work.

I see in http://docs.splunk.com/Documentation/Splunk/6.4.0/Admin/Inputsconf#.5Bhttp.5D the following new settings for the [http] stanza:

sslKeysfile
sslKeysfilePassword
caCertFile
caPath
serverCert
sslVersions

Which do I need to use when I am using the Let's Encrypt .pem files?

0 Karma

mattymo
Splunk Employee
Splunk Employee

Hey JoslJntema,

Have you see this blog on using letsencrypt for splunk web?

https://www.splunk.com/blog/2016/08/12/secure-splunk-web-in-five-minutes-using-lets-encrypt/

What version of Splunk are you working with? You will need to ensure you have the Full Splunk Enterprise instance installed, not the universal forwarder...

http://docs.splunk.com/Documentation/Splunk/6.5.2/Security/AboutsecuringyourSplunkconfigurationwithS...

You can also check out April 2016's talk from duckfez and starcher for a great overview:

https://wiki.splunk.com/Virtual_.conf

Once you have secured Splunk web, you can then move to HEC, which since 6.4 has it's own [http] stanza. in inputs.conf (it used to share splunkd's ssl config in server.conf)

https://www.splunk.com/blog/2016/05/03/splunk-6-4-using-cors-and-ssl-settings-with-http-event-collec...

http://docs.splunk.com/Documentation/Splunk/latest/Data/UsetheHTTPEventCollector

Anyways, I suggest starting with securing Splunkweb first with your certs, then moving to securing HEC

- MattyMo
0 Karma

mattymo
Splunk Employee
Splunk Employee

As for the HEC use of SSL, if you simply flip on SSL in the global options (aka enableSSL=1) it will use the settings from server.conf...which look like this on my machine.

[splunker@n00bserver bin]$ ./splunk btool server list --debug

/home/splunker/splunk/etc/system/local/server.conf                                   [sslConfig]
/home/splunker/splunk/etc/system/default/server.conf                                 allowSslCompression = true
/home/splunker/splunk/etc/system/default/server.conf                                 allowSslRenegotiation = true
/home/splunker/splunk/etc/system/default/server.conf                                 caCertFile = $SPLUNK_HOME/etc/auth/cacert.pem
/home/splunker/splunk/etc/system/default/server.conf                                 caPath = $SPLUNK_HOME/etc/auth
/home/splunker/splunk/etc/system/default/server.conf                                 certCreateScript = $SPLUNK_HOME/bin/splunk, createssl, server-cert
/home/splunker/splunk/etc/system/default/server.conf                                 cipherSuite = TLSv1+HIGH:TLSv1.2+HIGH:@STRENGTH
/home/splunker/splunk/etc/system/default/server.conf                                 enableSplunkdSSL = true
/home/splunker/splunk/etc/system/default/server.conf                                 sendStrictTransportSecurityHeader = false
/home/splunker/splunk/etc/system/default/server.conf                                 serverCert = $SPLUNK_HOME/etc/auth/server.pem
/home/splunker/splunk/etc/system/local/server.conf                                   sslPassword = <REDACTED>
/home/splunker/splunk/etc/system/default/server.conf                                 sslVersions = *,-ssl2
/home/splunker/splunk/etc/system/default/server.conf                                 sslVersionsForClient = *,-ssl2
/home/splunker/splunk/etc/system/default/server.conf                                 useClientSSLCompression = true
/home/splunker/splunk/etc/system/default/server.conf                                 useSplunkdClientSSLCompression = true
/home/splunker/splunk/etc/system/default/server.conf                                                                

I would try throwing your certs in the auth dir and pointing to it from the inputs, similar to how the caCertFile and path & server cert are set above.

I will try and get my letsencrypt set up cookin and let you know, or will confirm with others much smarter than me 😉

- MattyMo
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...