Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

SSL for third-party forwarding?

jhigginsmq
Path Finder
‎03-10-2017 06:37 AM

Hi. We are looking at the possibility of forwarding data from a Splunk indexer (with "indexAndForward") to a third-party system using SSL. As it's a non-Splunk receiving system we need to use "sendCookedData = false" in outputs.conf. I'm aware of the SSL settings in outputs.conf but all documentation I've seen only describes these settings in the context of a Splunk indexer on the receiving end, with corresponding settings in inputs.conf.

Is it possible to use the SSL settings in the outputs.conf of the forwarding system with a non-Splunk receiver? My knowledge of SSL and the receiving system is limited but presumably some configuration of the receiver would be required to accept this.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jkat54
SplunkTrust
SplunkTrust
‎03-10-2017 06:51 AM

indexAndForward is for heavy forwarders only. It will not work on indexers. Let me know if that's an option for you, if so I can elaborate on the SSL questions.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

jkat54
SplunkTrust
SplunkTrust
‎03-10-2017 06:51 AM

indexAndForward is for heavy forwarders only. It will not work on indexers. Let me know if that's an option for you, if so I can elaborate on the SSL questions.

0 Karma
Reply
Solved! Jump to solution

jhigginsmq
Path Finder
‎03-10-2017 07:11 AM

Ok I can see it says "This attribute is only available for heavy forwarders" under indexAndForward in the outputs.conf.spec, I assumed this meant only as opposed to universal forwarders. Isn't a 'heavy forwarder that indexes', really just an 'indexer that forwards'?

Either way I am keen to hear your SSL thoughts, thanks.

0 Karma
Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎03-10-2017 08:55 AM 
SSL should work just fine sending to other servers and ports.  SSL Verification will work too.  You've got to create your own pem

openssl genrsa -aes256 -out splunkforwarders.yourdomain.com.key 2048
openssl req -new -key splunkforwarders.yourdomain.com.key -out splunkforwarders.yourdomain.com.csr
openssl x509 -req -in splunkforwarders.yourdomain.com.csr -sha1 -signkey splunkforwarders.yourdomain.com.key -CAcreateserial -out splunkforwarders.yourdomain.com.crt -days 365


cat splunkforwarders.yourdomain.com.crt splunkforwarders.yourdomain.com.key rootca.crt subca1.crt subca2.crt > splunkforwarders.pem

inputs.conf:
[your_stanza]
_INDEX_AND_FORWARD_ROUTING  = ssl_forwarding

outputs.conf:
[tcpout]
defaultGroup = indexers
indexAndForward = true

[tcpout:ssl_forwarding]
sendCookedData = false
server = {some_host}:{port}
clientCert = $SPLUNK_HOME/etc/myauth/splunkforwarders.pem
sslPassword ={password}
sslRootCAPath = $SPLUNK_HOME/etc/myauth/rootca.crt
sslVerifyServerCert = true
sslCommonNameToCheck = {some_host}

[tcpout:indexers]
server = {some_indexer_1}:{port}, {some_indexer_2}:{port}
0 Karma
Reply
Solved! Jump to solution

jhigginsmq
Path Finder
‎03-10-2017 12:58 PM

Ok great, think I need to read up on the SSL settings a bit more but good to know it can be done and the example look useful, thanks.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...