Solved: What is the security measures that i should take w...

royimad · ‎03-20-2013

Hello Splunkies,

I need to know what are the security measures that is should take if i want to introduce universal forwarder on a production environment to forward data to splunk instance on another machine.

Thanks,
Roy

kristian_kolb · ‎03-20-2013

You may want to encrypt the log traffic with proper SSL-keys, and not the ones that come by default.

Change the splunk password from 'changeme' into something else.

You might consider Forwarder Acknoledgement, to ensure that data gets written to index.

http://docs.splunk.com/Documentation/Splunk/latest/Security/WhatyoucansecurewithSplunk

/K

View solution in original post

dshpritz · ‎03-20-2013

Also, if possible, change the user that Splunk runs as:

http://docs.splunk.com/Documentation/Splunk/5.0.2/installation/RunSplunkasadifferentornon-rootuser

Drainy · ‎03-20-2013

Its worth adding that if you install Splunk via the rpm on linux it will handle this for you

kristian_kolb · ‎03-20-2013

You may want to encrypt the log traffic with proper SSL-keys, and not the ones that come by default.

Change the splunk password from 'changeme' into something else.

You might consider Forwarder Acknoledgement, to ensure that data gets written to index.

http://docs.splunk.com/Documentation/Splunk/latest/Security/WhatyoucansecurewithSplunk

/K

What is the security measures that i should take when introducing universal forwarder on a production environment?

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...