Security

SSL for third-party forwarding?

jhigginsmq
Path Finder

Hi. We are looking at the possibility of forwarding data from a Splunk indexer (with "indexAndForward") to a third-party system using SSL. As it's a non-Splunk receiving system we need to use "sendCookedData = false" in outputs.conf. I'm aware of the SSL settings in outputs.conf but all documentation I've seen only describes these settings in the context of a Splunk indexer on the receiving end, with corresponding settings in inputs.conf.

Is it possible to use the SSL settings in the outputs.conf of the forwarding system with a non-Splunk receiver? My knowledge of SSL and the receiving system is limited but presumably some configuration of the receiver would be required to accept this.

0 Karma
1 Solution

jkat54
SplunkTrust
SplunkTrust

indexAndForward is for heavy forwarders only. It will not work on indexers. Let me know if that's an option for you, if so I can elaborate on the SSL questions.

View solution in original post

0 Karma

jkat54
SplunkTrust
SplunkTrust

indexAndForward is for heavy forwarders only. It will not work on indexers. Let me know if that's an option for you, if so I can elaborate on the SSL questions.

0 Karma

jhigginsmq
Path Finder

Ok I can see it says "This attribute is only available for heavy forwarders" under indexAndForward in the outputs.conf.spec, I assumed this meant only as opposed to universal forwarders. Isn't a 'heavy forwarder that indexes', really just an 'indexer that forwards'?

Either way I am keen to hear your SSL thoughts, thanks.

0 Karma

jkat54
SplunkTrust
SplunkTrust
SSL should work just fine sending to other servers and ports.  SSL Verification will work too.  You've got to create your own pem

openssl genrsa -aes256 -out splunkforwarders.yourdomain.com.key 2048
openssl req -new -key splunkforwarders.yourdomain.com.key -out splunkforwarders.yourdomain.com.csr
openssl x509 -req -in splunkforwarders.yourdomain.com.csr -sha1 -signkey splunkforwarders.yourdomain.com.key -CAcreateserial -out splunkforwarders.yourdomain.com.crt -days 365


cat splunkforwarders.yourdomain.com.crt splunkforwarders.yourdomain.com.key rootca.crt subca1.crt subca2.crt > splunkforwarders.pem

inputs.conf:
[your_stanza]
_INDEX_AND_FORWARD_ROUTING  = ssl_forwarding

outputs.conf:
[tcpout]
defaultGroup = indexers
indexAndForward = true

[tcpout:ssl_forwarding]
sendCookedData = false
server = {some_host}:{port}
clientCert = $SPLUNK_HOME/etc/myauth/splunkforwarders.pem
sslPassword ={password}
sslRootCAPath = $SPLUNK_HOME/etc/myauth/rootca.crt
sslVerifyServerCert = true
sslCommonNameToCheck = {some_host}

[tcpout:indexers]
server = {some_indexer_1}:{port}, {some_indexer_2}:{port}
0 Karma

jhigginsmq
Path Finder

Ok great, think I need to read up on the SSL settings a bit more but good to know it can be done and the example look useful, thanks.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...