Documentation > Splunk > Admin Manual > Use SSL to encrypt and authenticate data from forwarders

Admin Manual

 


Welcome to Splunk administration
What to do first
Use Splunk Web
Getting started for Windows admins
Manage Splunk licenses
Meet Splunk apps
Configure Splunk
Indexing with Splunk
Manage users
Manage indexes
Define alerts
Set up backups and retention policies
Configure data security
Manage search jobs
Use Splunk's command line interface (CLI)
Configuration file reference

Use SSL to encrypt and authenticate data from forwarders

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Contents

Use SSL to encrypt and authenticate data from forwarders

The communication between forwarder and receiver can use SSL authentication and encryption, or just SSL encryption.

To enable SSL, edit each forwarder's outputs.conf file and each receiver's inputs.conf file.

Enable SSL on the forwarder

You enable SSL in the forwarder's outputs.conf file. If you are using SSL just for encryption, you can set SSL attributes at any stanza level: default (tcpout), target group, or server. If you are also using SSL for authentication, you must specify SSL attributes at the server level. Each receiving server needs a stanza that specifies its certificate names.

For detailed guidance on configuring outputs.conf, including its stanza levels, see "Configure forwarders with outputs.conf" in the Distributed Deployment manual.

SSL attributes

This table describes the set of SSL attributes in outputs.conf:

Attribute Value
sslCertPath Full path to client certificate file.
sslPassword Password for the certificate. Default is "password".
sslRootCAPath Path to root certificate authority file.
sslVerifyServerCert Set to true or false. Default is "false", which enables SSL for encryption only. If set to "true", the forwarder will determine whether the receiving server is authenticated, checking sslCommonNameToCheck and sslAltNameToCheck for a match. If neither matches, authentication fails.
sslCommonNameToCheck Server's common name. Set only if sslVerfyServerCert is "true". The forwarder checks the common name of the server's certificate against this value.
sslAltNameToCheck Server's alternate name. Set only if sslVerfyServerCert is "true". The forwarder checks the alternate name of the server's certificate against this value.


Set SSL for encryption only

Add attribute/value pairs at the appropriate stanza level. Here, the attributes are specified at the tcpout level, so they set the SSL defaults for this forwarder: 

[tcpout]
sslCertPath=<full path to client certificate>
sslPassword=<password for cert>
sslRootCAPath=<optional path to root certificate authority file>
sslVerifyServerCert=false

Set up SSL for encryption and authentication

You must enable authentication at the server level of stanza, since each receiving server must have its own certificate: 

[tcpout-server://<ip address>:<port>]
sslCertPath=<full path to client certificate>
sslPassword=<password for cert>
sslRootCAPath=<optional path to root certificate authority file>
sslVerifyServerCert=true
sslCommonNameToCheck=<server's common name>
sslAltNameToCheck=<server's alternate name>

You need to create a stanza for each receiver that the forwarder authenticates with.

Enable SSL on the receiver

You enable SSL in the receiver's inputs.conf file. This involves two steps:

  • Add an [SSL] stanza.
  • Add listener stanzas for each port listening for SSL data.

Configure the [SSL] stanza

This table describes the attributes for the [SSL] stanza:

Attribute Value
serverCert Full path to server certificate file.
password Password for the certificate, if any. If no password, leave blank or unset.
rootCA Path to the root certificate authority file.
dhfile Path to the dhfile.pem file. Optional.
requireClientCert Set to true or false. Default is "false". If set to "true", the receiver will require a valid certificate from the client to complete the connection.


Here's how it looks: 

[SSL]
serverCert=<path to server certificate>
password=<server certificate password>
rootCA=<certificate authority list>
dhfile=<optional path to dhfile.pem> 
requireClientCert=<true|false> - set to "true" if authenticating

Configure the listener stanzas

You need to add stanzas for each port the receiver will be listening to SSL data on.

For cooked, encrypted data coming from a forwarder, use this stanza: 

[splunktcp-ssl:<port>]

The port must correspond to the port specified by the forwarder in outputs.conf.

For raw, encrypted data coming from either a forwarder or a third-party system, use this stanza instead: 

[tcp-ssl:<port>]

Example SSL configuration

This example shows a configuration that sets up SSL encryption only (no authentication).

Edit the forwarder's outputs.conf: 

[tcpout]
defaultGroup = ssl_group.domain.com_9996

[tcpout:ssl_group.domain.com_9996]
server = 10.1.5.148:9996

[tcpout-server://10.1.5.148:9996]
sslCertPath=$SPLUNK_HOME/etc/auth/server.pem
sslPassword=password
sslRootCAPath=$SPLUNK_HOME/etc/auth/ca.pem
sslVerifyServerCert=false

Edit the receiver's inputs.conf: 

[SSL]
serverCert=$SPLUNK_HOME/etc/auth/server.pem
password=password
rootCA=$SPLUNK_HOME/etc/auth/cacert.pem
requireClientCert=false

[splunktcp-ssl:9996]

For more information

For detailed procedures that illustrate various scenarios for using SSL with forwarding and receiving, see

Retrieved from "http://docs.splunk.com/Documentation/Splunk/4.3.1/Admin/UseSSLtoencryptandauthenticatedatafromforwarders"

This documentation applies to the following versions of Splunk: 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 , 4.1.6 , 4.1.7 , 4.1.8 , 4.2 , 4.2.1 , 4.2.2 , 4.2.3 , 4.2.4 , 4.2.5 , 4.3 , 4.3.1 , 4.3.2 , 4.3.3 , 4.3.4 , 4.3.5 , 4.3.6 View the Article History for its revisions.


Comments

Jedwardgrow - thanks for checking that case issue.

Moseisleydk - I suggest you consider posing your question in Splunk Answers:

http://splunk-base.splunk.com/answers/

Sgoodman
October 6, 2011

Is it possible to have multiple CA's and hence different Server/Client certs? I have amazon klients in groups, and want the possibility to disable their possibility to access they server (and cant block on IP)

Moseisleydk
September 15, 2011

In "Set up SSL for encryption and authentication":

sslCommonNametoCheck= server's common name
should be
sslCommonNameToCheck= server's common name

property is case sensitive (and correct in the "Configure the [SSL] stanza" table)

Jedwardgrow
September 14, 2011

This wiki link http://www.splunk.com/wiki/Community:Splunk2Splunk_SSL_SelfSignedCert_NewRootCA gives additional docs and extra examples. Very helpful.

Dpaper
April 6, 2011

You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!