Splunk® Enterprise

Admin Manual

Download manual as PDF

Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Use SSL to encrypt and authenticate data from forwarders

The communication between forwarder and receiver can use SSL authentication and encryption, or just SSL encryption.

To enable SSL, edit each forwarder's outputs.conf file and each receiver's inputs.conf file.

Enable SSL on the forwarder

You enable SSL in the forwarder's outputs.conf file. If you are using SSL just for encryption, you can set SSL attributes at any stanza level: default (tcpout), target group, or server. If you are also using SSL for authentication, you must specify SSL attributes at the server level. Each receiving server needs a stanza that specifies its certificate names.

For detailed guidance on configuring outputs.conf, including its stanza levels, see "Configure forwarders with outputs.conf" in the Distributed Deployment manual.

SSL attributes

This table describes the set of SSL attributes in outputs.conf:

Attribute Value
sslCertPath Full path to client certificate file.
sslPassword Password for the certificate. Default is "password".
sslRootCAPath Path to root certificate authority file.
sslVerifyServerCert Set to true or false. Default is "false", which enables SSL for encryption only. If set to "true", the forwarder will determine whether the receiving server is authenticated, checking sslCommonNameToCheck and sslAltNameToCheck for a match. If neither matches, authentication fails.
sslCommonNameToCheck Server's common name. Set only if sslVerfyServerCert is "true". The forwarder checks the common name of the server's certificate against this value.
sslAltNameToCheck Server's alternate name. Set only if sslVerfyServerCert is "true". The forwarder checks the alternate name of the server's certificate against this value.


Set SSL for encryption only

Add attribute/value pairs at the appropriate stanza level. Here, the attributes are specified at the tcpout level, so they set the SSL defaults for this forwarder:

[tcpout]
sslCertPath=<full path to client certificate>
sslPassword=<password for cert>
sslRootCAPath=<optional path to root certificate authority file>
sslVerifyServerCert=false

Set up SSL for encryption and authentication

You must enable authentication at the server level of stanza, since each receiving server must have its own certificate:

[tcpout-server://<ip address>:<port>]
sslCertPath=<full path to client certificate>
sslPassword=<password for cert>
sslRootCAPath=<optional path to root certificate authority file>
sslVerifyServerCert=true
sslCommonNameToCheck=<server's common name>
sslAltNameToCheck=<server's alternate name>

You need to create a stanza for each receiver that the forwarder authenticates with.

Enable SSL on the receiver

You enable SSL in the receiver's inputs.conf file. This involves two steps:

  • Add an [SSL] stanza.
  • Add listener stanzas for each port listening for SSL data.

Configure the [SSL] stanza

This table describes the attributes for the [SSL] stanza:

Attribute Value
serverCert Full path to server certificate file.
password Password for the certificate, if any. If no password, leave blank or unset.
rootCA Path to the root certificate authority file.
dhfile Path to the dhfile.pem file. Optional.
requireClientCert Set to true or false. Default is "false". If set to "true", the receiver will require a valid certificate from the client to complete the connection.


Here's how it looks:

[SSL]
serverCert=<path to server certificate>
password=<server certificate password>
rootCA=<certificate authority list>
dhfile=<optional path to dhfile.pem> 
requireClientCert=<true|false> - set to "true" if authenticating

Configure the listener stanzas

You need to add stanzas for each port the receiver will be listening to SSL data on.

For cooked, encrypted data coming from a forwarder, use this stanza:

[splunktcp-ssl:<port>]

The port must correspond to the port specified by the forwarder in outputs.conf.

For raw, encrypted data coming from either a forwarder or a third-party system, use this stanza instead:

[tcp-ssl:<port>]

Example SSL configuration

This example shows a configuration that sets up SSL encryption only (no authentication).

Edit the forwarder's outputs.conf:

[tcpout]
defaultGroup = ssl_group.domain.com_9996

[tcpout:ssl_group.domain.com_9996]
server = 10.1.5.148:9996

[tcpout-server://10.1.5.148:9996]
sslCertPath=$SPLUNK_HOME/etc/auth/server.pem
sslPassword=password
sslRootCAPath=$SPLUNK_HOME/etc/auth/ca.pem
sslVerifyServerCert=false

Edit the receiver's inputs.conf:

[SSL]
serverCert=$SPLUNK_HOME/etc/auth/server.pem
password=password
rootCA=$SPLUNK_HOME/etc/auth/cacert.pem
requireClientCert=false

[splunktcp-ssl:9996]

For more information

For detailed procedures that illustrate various scenarios for using SSL with forwarding and receiving, see

PREVIOUS
Use SSL for secure intra-Splunk communication
  NEXT
Configure archive signing

This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7


Comments

Jedwardgrow - thanks for checking that case issue.<br /><br />Moseisleydk - I suggest you consider posing your question in Splunk Answers: <br /><br />http://splunk-base.splunk.com/answers/

Sgoodman
October 6, 2011

Is it possible to have multiple CA's and hence different Server/Client certs? I have amazon klients in groups, and want the possibility to disable their possibility to access they server (and cant block on IP)

Moseisleydk
September 15, 2011

In "Set up SSL for encryption and authentication": <br /><br />sslCommonNametoCheck= server's common name<br /> should be<br />sslCommonNameToCheck= server's common name<br /><br />property is case sensitive (and correct in the "Configure the [SSL] stanza" table)

Jedwardgrow
September 14, 2011

This wiki link http://www.splunk.com/wiki/Community:Splunk2Splunk_SSL_SelfSignedCert_NewRootCA gives additional docs and extra examples. Very helpful.

Dpaper
April 6, 2011

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters