Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to edit my AMI of Splunk's inputs.conf to allow TLS connections?

npiagentini
New Member
‎03-16-2017 01:37 PM

I am inexperienced with both Splunk and AWS, so keep that in mind. 😉
I wish to edit my AMI of Splunk Enterprise's inputs.conf file to allow TLS connections. I successfully accessed the AMI using SSH, and was able to su to get into the ./home/splunk folder. Once there I fond no items in it. No etc folder. No anything.

I can hit the web interface and use Splunk Web so I know it is running. I just can't find the config files. Any pointers would be much appreciated. I am sure I am missing something obvious....

Thanks for your time!

Nick

0 Karma
Reply

jethompson_splu
Splunk Employee
Splunk Employee
‎03-23-2017 07:34 AM

Hello Nick,

From my understanding of your question you are wanting to enable TLS only connections for your Splunk Web interface. The default installation path for Splunk is:

/opt/splunk

The above directory is usually referenced using: $SPLUNK_HOME/ . The changes that you are wanting to make, you would need to make to the following files located inside of the $SPLUNK_HOME/etc/system/.... directory. The files that you would be working with are:

web.conf
server.conf

You will want to make sure that you are not modifying the files in the ../default/ (Default Folder/Directory -- $SPLUNK_HOME/etc/system/default/ ) as these files should not be modified. These files will be replaced during an Upgrade and as such you will want to make sure that you make modifications to the files in the ../local/ (Local Folder/Directory -- $SPLUNK_HOME/etc/system/local/ ).

For your files in the ../local/ directory all you would need to do is copy the Stanza from the ../default/web.conf (or server.conf) file into the ../local/web.conf (or server.conf) file and modify to your needs. Now you can also modify the Cipher Suite being used, and the following link will provide further information on how to complete that process:

https://docs.splunk.com/Documentation/Splunk/6.5.2/Security/Determineyourciphersuite

The following link will provide information on setting the SSL Version to be used:

https://docs.splunk.com/Documentation/Splunk/6.5.2/Security/SetyourSSLversion

This should provide the information needed to complete the changes that you are wanting to make to "Secure" your Splunk Web Interface.

Jeff Thompson

0 Karma
Reply

npiagentini
New Member
‎03-23-2017 10:53 AM

Thanks Jeff. I am actually trying to enable a syslog over TLS feed. I just could not find the $SPLUNK_HOME$ on the AMI. Looks like it is /opt/splunk but I still can't seem to get it to work!

0 Karma
Reply

jethompson_splu
Splunk Employee
Splunk Employee
‎03-23-2017 12:22 PM

Hello Nick,

Thank you for that additional information and to further assist you with this please review the following Splunk Answers page which discusses Enabling a Receiver for Syslog Ingestion:

https://answers.splunk.com/answers/506986/can-i-have-a-universal-forwarder-listen-on-port-ud-1.html#...

The information provided at the Link in that Answers Post and the information provided should help you get your Syslog data into Splunk.

0 Karma
Reply
Get Updates on the Splunk Community!

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...