- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Setup Secure (Encrypted) Syslog
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Has anyone had luck setting up secure (encrypted) syslog with this Addon? It only mentions creating a TCP input which would not be encrypted. Our Proofpoint is hosted at their cloud, so encryption between their cloud and our Heavy Forwarder onsite is imperative.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ended up creating certificates and using the following configuration settings in inputs.conf. The key to making this work is the cipherSuite which is not a default cipher.
[tcp-ssl://1518]
sourcetype = pps_log
index = proofpoint
disabled = false
acceptFrom = *comma seperated list of your cluster server IPs*
[SSL]
requireClientCert = false
serverCert = /opt/splunk/etc/apps/TA_pps/local/certs/combined.cer
sslVersions = tls1.2
cipherSuite = AES256-SHA
The ServerCert should be combined and in the following order:
-----BEGIN CERTIFICATE-----
(Your server certificate)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Your Intermediate certificate (if you have one))
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
(Your Private Key)
-----END RSA PRIVATE KEY-----
Proofpoint will need to load this certificate chain as well.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ended up creating certificates and using the following configuration settings in inputs.conf. The key to making this work is the cipherSuite which is not a default cipher.
[tcp-ssl://1518]
sourcetype = pps_log
index = proofpoint
disabled = false
acceptFrom = *comma seperated list of your cluster server IPs*
[SSL]
requireClientCert = false
serverCert = /opt/splunk/etc/apps/TA_pps/local/certs/combined.cer
sslVersions = tls1.2
cipherSuite = AES256-SHA
The ServerCert should be combined and in the following order:
-----BEGIN CERTIFICATE-----
(Your server certificate)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Your Intermediate certificate (if you have one))
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
(Your Private Key)
-----END RSA PRIVATE KEY-----
Proofpoint will need to load this certificate chain as well.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey,
you could use [tcp-ssl://1234] in inputs.conf - it offers encrypted receiving of data.
However, best practice is to run a dedicated syslog server, which receives the data and writes it to disk, and have Splunk monitor those files. This helps with reliability, as a syslog server restart might take less than one second, but restarting Splunk might take up to several minutes. You might loose data that would come in during such an restart - which also happens more often with Splunk instances than with syslog servers.
I'd therefore recommend to setup syslog-ng, with encryption enabled, and send your data there.
Hope that helps - if it does I'd be happy if you would upvote/accept this answer, so others could profit from it. 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The proofpoint cloud cluster caches some amount of logs, so a Splunk restart shouldn't result in a loss of logs.
Splunk Custom Visualizations App End of Life
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
