Hi,
I have setup a heavy forwarder to accept TCP unencrypted traffic from a Palo Alto device, that has the Palo Alto TA installed, on our local network. I would like to send the data encrypted using SSL to our indexer in AWS. The indexer in AWS is already configured and working for receiving SSL encrypted events. Is there a configuration that needs to be done on the heavy forwarder to allow this?
By running tcpdump I can see the unencrypted data coming from the Palo Alto device. I can see encrypted data going to our indexer but all that I can see is hostname related events in the _internal index, and no evidence of the pan:log sourcetype.
Thanks
For this particular situation the Palo Alto for Splunk App and TA only work with the main index. When I removed the custom index I could see the events populating.
For this particular situation the Palo Alto for Splunk App and TA only work with the main index. When I removed the custom index I could see the events populating.
Yes it can be done using SSL certificates. You need to add certificate information in your outputs.conf as follows:
[tcpout:test_clustered_indexers]
server = indexer.abc.com:9997
compressed = true
sslVerifyServerCert = true
sslRootCAPath = /opt/splunkforwarder/etc/auth/certificate/cert.pem
sslCertPath = /opt/splunkforwarder/etc/auth/certificate/CertFull.pem
sslPassword = <yourPassword>
useClientSSLCompression = true
and on the indexers machines need to add following stanza in inputs.conf.
[SSL]
password = <cert password>
rootCA =<path to your root CA certificate>
serverCert = <Path to your server certificate>
requireClientCert = true
Hi, thanks for the response. Yes, I do have that setup already which is why I'm confused as to why the events are not showing in the index.