Hi there,
I have started my own Ubuntu 16.04 server and installed Splunk. This goes smoothly.
Also I have added a domain to the server and setup Let's Encrypt.
In the docs I find things about Splunk Web and SSL, but I cannot get this to work for my Splunk. For one, is that I do not have a web.conf.
How should I secure my Splunk environment? What is needed to do this the best way?
I will mainly user the HTTP Event Collector.
I am quite new to this, so any suggestions and help would be great.
Thanks.
Jos
Hi mmdoestino,
Thanks for your response.
First the web.conf was not available. When I tried to set SSL in the General Settings tab, it created the web.conf. Then I followed the tutorial and now it works.
However, I do not get the HEC to work.
I see in http://docs.splunk.com/Documentation/Splunk/6.4.0/Admin/Inputsconf#.5Bhttp.5D the following new settings for the [http] stanza:
sslKeysfile
sslKeysfilePassword
caCertFile
caPath
serverCert
sslVersions
Which do I need to use when I am using the Let's Encrypt .pem files?
Hey JoslJntema,
Have you see this blog on using letsencrypt for splunk web?
https://www.splunk.com/blog/2016/08/12/secure-splunk-web-in-five-minutes-using-lets-encrypt/
What version of Splunk are you working with? You will need to ensure you have the Full Splunk Enterprise instance installed, not the universal forwarder...
You can also check out April 2016's talk from duckfez and starcher for a great overview:
https://wiki.splunk.com/Virtual_.conf
Once you have secured Splunk web, you can then move to HEC, which since 6.4 has it's own [http] stanza. in inputs.conf (it used to share splunkd's ssl config in server.conf)
http://docs.splunk.com/Documentation/Splunk/latest/Data/UsetheHTTPEventCollector
Anyways, I suggest starting with securing Splunkweb first with your certs, then moving to securing HEC
As for the HEC use of SSL, if you simply flip on SSL in the global options (aka enableSSL=1
) it will use the settings from server.conf...which look like this on my machine.
[splunker@n00bserver bin]$ ./splunk btool server list --debug
/home/splunker/splunk/etc/system/local/server.conf [sslConfig]
/home/splunker/splunk/etc/system/default/server.conf allowSslCompression = true
/home/splunker/splunk/etc/system/default/server.conf allowSslRenegotiation = true
/home/splunker/splunk/etc/system/default/server.conf caCertFile = $SPLUNK_HOME/etc/auth/cacert.pem
/home/splunker/splunk/etc/system/default/server.conf caPath = $SPLUNK_HOME/etc/auth
/home/splunker/splunk/etc/system/default/server.conf certCreateScript = $SPLUNK_HOME/bin/splunk, createssl, server-cert
/home/splunker/splunk/etc/system/default/server.conf cipherSuite = TLSv1+HIGH:TLSv1.2+HIGH:@STRENGTH
/home/splunker/splunk/etc/system/default/server.conf enableSplunkdSSL = true
/home/splunker/splunk/etc/system/default/server.conf sendStrictTransportSecurityHeader = false
/home/splunker/splunk/etc/system/default/server.conf serverCert = $SPLUNK_HOME/etc/auth/server.pem
/home/splunker/splunk/etc/system/local/server.conf sslPassword = <REDACTED>
/home/splunker/splunk/etc/system/default/server.conf sslVersions = *,-ssl2
/home/splunker/splunk/etc/system/default/server.conf sslVersionsForClient = *,-ssl2
/home/splunker/splunk/etc/system/default/server.conf useClientSSLCompression = true
/home/splunker/splunk/etc/system/default/server.conf useSplunkdClientSSLCompression = true
/home/splunker/splunk/etc/system/default/server.conf
I would try throwing your certs in the auth dir and pointing to it from the inputs, similar to how the caCertFile and path & server cert are set above.
I will try and get my letsencrypt set up cookin and let you know, or will confirm with others much smarter than me 😉