Hello All
I have the following configuration that I would like to see work if possible. A server in the DMZ setup as an intermediary to capture logs from devices in AWS being transported over the internet. Could one possibly have the following setup:
AWS universal forwarder 3rd party cert
server.conf:
[sslConfig]
sslRootCAPath = $SPLUNK_HOME/etc/auth/3rdpartycert/cacert.pem
outputs.conf
[tcpout]
[tcpout:dmz_fwd]
server = dmz-fwder.example.org:9997
disable = 0
clientCert = $SPLUNK_HOME/etc/auth/3rdpartycert/client.pem
useClientSSLCompression = true
sslPassword = <blah>
sslCommonNameToCheck = dmz-fwder.example.org
sslVerifyServerCert = true
DMZ Host 3rd party Cert and Splunk Cert
inputs.conf:
[splunktcp-ssl:9997]
disabled = 0
[SSL]
serverCert = $SPLUNK_HOME/etc/auth/3rdpartycert/server.pem
sslPassword = password
requireClientCert = True
server.conf
[sslConfig]
sslRootCAPath = /opt/splunk/etc/auth/3rdpartycert/cacert.pem
Then the DMZ host would use the default certs and default SSL configuration to send the data into a secure network on our intranet. I am not sure it will work as due to the fact the server.conf on the DMZ host will have a conflict between the 3rd party cert and the Splunk out of the box cert.
server.conf required for default certs
[sslConfig]
sslRootCAPath = /opt/splunk/etc/auth/cacert.pem
Thoughts?
Thanks in advance
@edwardrose,
I dont think it will be problem. If you are sending data outside Splunk then the configuration will be there in outputs.conf and we are not specifying any ssl use there.