Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Use a Heavy Forward to Receive Unencrypted Traffic and Send Encrypted

skycree_rh
Explorer
‎04-24-2017 09:44 PM

Hi,
I have setup a heavy forwarder to accept TCP unencrypted traffic from a Palo Alto device, that has the Palo Alto TA installed, on our local network. I would like to send the data encrypted using SSL to our indexer in AWS. The indexer in AWS is already configured and working for receiving SSL encrypted events. Is there a configuration that needs to be done on the heavy forwarder to allow this?

By running tcpdump I can see the unencrypted data coming from the Palo Alto device. I can see encrypted data going to our indexer but all that I can see is hostname related events in the _internal index, and no evidence of the pan:log sourcetype.

Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

skycree_rh
Explorer
‎04-25-2017 08:37 PM

For this particular situation the Palo Alto for Splunk App and TA only work with the main index. When I removed the custom index I could see the events populating.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

skycree_rh
Explorer
‎04-25-2017 08:37 PM

For this particular situation the Palo Alto for Splunk App and TA only work with the main index. When I removed the custom index I could see the events populating.

0 Karma
Reply
Solved! Jump to solution

hardikJsheth
Motivator
‎04-24-2017 11:41 PM

Yes it can be done using SSL certificates. You need to add certificate information in your outputs.conf as follows:

[tcpout:test_clustered_indexers]

server = indexer.abc.com:9997
compressed = true
sslVerifyServerCert = true
sslRootCAPath = /opt/splunkforwarder/etc/auth/certificate/cert.pem
sslCertPath = /opt/splunkforwarder/etc/auth/certificate/CertFull.pem
sslPassword = <yourPassword>
useClientSSLCompression = true

and on the indexers machines need to add following stanza in inputs.conf.

[SSL]
password = <cert password>
rootCA =<path to your root CA certificate>
serverCert = <Path to your server certificate>
requireClientCert = true
0 Karma
Reply
Solved! Jump to solution

skycree_rh
Explorer
‎04-25-2017 08:06 AM

Hi, thanks for the response. Yes, I do have that setup already which is why I'm confused as to why the events are not showing in the index.

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...