Getting Data In

What's the best way to securely forward data from a Universal Forwarder to a Splunk Indexer?

TitanAE
New Member

Hey Everyone,

Hope your week is going well. I'm currently working to securely forward data from a Universal Forwarder to a Splunk Indexer.

I'm aware the universal forwarder can connect via SSL, but I'm hoping to find another way to secure the transmission.

Currently looking at HTTP Event Collector (HEC), with which I saw that I can generate a token within Splunk and add it to the forwarder. So that would be another possible way of securing the transmission of data to Splunk.

Are there any additional ways that I'm not seeing?

TitanAE

0 Karma

Ranazar
Path Finder

Both the Universal Forwarder and HEC use SSL to encrypt the in-flight data (you should replace the default certs). It sounds like you want an authentication method - like the HEC tokens - for the UF.

I've never used it myself, but it looks like the UF also has authentication tokens that you can use. Here's the link to that section of the documentation. It looks very similar to HEC (but there's apparently no GUI method to configure it).

0 Karma

marycordova
SplunkTrust
SplunkTrust
  1. use regular TCP transport with SSL (as you already noted)
  2. use HTTP transport with HEC (which you also noted) + SSL = HTTPS
@marycordova
0 Karma

gjanders
SplunkTrust
SplunkTrust

Why would you want to avoid the Splunk to Splunk + SSL / TLS communication?

0 Karma

TitanAE
New Member

I'm not trying to avoid it. I'm trying to see if there is anything I can do in addition to SSL/TLS communication.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...