When we setup Splunk some time ago, I did not setup encryption for data received from light/universal forwarders. Now I want to encrypt data from all of those forwarders. I can't realistically cutover every last forwarder at the same time (and I'd worry about events getting dropped in the process of a cutover).
It appears that you can't have one port do both encrypted and non-encrypted data. I believe I saw in another post that you would need to create another TCP listener port and configure that to use SSL.
I looked around and am not really sure how to create a second port. Is this just adding a new TCP listener in "Data Inputs" and then somehow configuring it with the SSL encryption-only configuration?
Thanks
Yes you can add another listening port by either:
a) Using the UI by going to Manager->
b) Using the command-line command, ./splunk enable listen 9998 -auth admin:change me
c) editing the inputs.conf file and adding a new stanza like [splunktcp://9998]
See this documentation:
http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Aboutforwardingandreceivingdata
Regarding SSL encryption, you need to decide whether you want to use your own certificates or the ones supplied by Splunk. I suggest you read this:
http://docs.splunk.com/Documentation/Splunk/latest/Admin/UseSSLtoencryptandauthenticatedatafromforwa...
Yes you can add another listening port by either:
a) Using the UI by going to Manager->
b) Using the command-line command, ./splunk enable listen 9998 -auth admin:change me
c) editing the inputs.conf file and adding a new stanza like [splunktcp://9998]
See this documentation:
http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Aboutforwardingandreceivingdata
Regarding SSL encryption, you need to decide whether you want to use your own certificates or the ones supplied by Splunk. I suggest you read this:
http://docs.splunk.com/Documentation/Splunk/latest/Admin/UseSSLtoencryptandauthenticatedatafromforwa...
no nothing different, it's simply that the examples use the standard port. You can have many TCP listening ports with or without SSL encryption configured.
Thanks, itinney. I had read the SSL document you referred to (and the wiki and a few other things), but all those docs seemed to assume configuration against the standard listener port. It was clear to me if there was anything special about creating this second port.