Splunk® Enterprise

Securing Splunk Enterprise

Download manual as PDF

Download topic as PDF

About securing Splunk Enterprise with SSL

This section describes the types of Splunk configurations that you might want to secure with SSL.

About the default certificates

Splunk software ships with, and is configured to use, a set of default certificates. These certificates discourage casual snoopers but could still leave you vulnerable, because the root certificate is the same in every Splunk download and anyone with the same root certificate can authenticate.

The default certificates are generated and configured at startup and can be found in $SPLUNK_HOME/etc/auth/. They are set to expire three years after they are generated and new certificates must be created and configured at that time.

Ways you can secure Splunk Enterprise

You can apply encryption and/or authentication using your own certificates for:

  • Communications between the browser and Splunk Web
  • Communication from Splunk forwarders to indexers
  • Other types of communication, such as communications between Splunk instances over the management port

The table below describes the most common scenarios and the default SSL settings:

Type of exchange Client function Server function Encryption Certificate Authentication Common Name checking Type of data exchanged
Browser to Splunk Web Browser Splunk Web NOT enabled by default dictated by client (browser) dictated by client (browser) configuration and search data
Splunk Web to search head Splunk Web splunkd as a search head enabled by default NOT enabled by default NOT enabled by default configuration and search data
Forwarding splunkd as a forwarder splunkd as an indexer NOT enabled by default NOT enabled by default NOT enabled by default data to be indexed
Deployment server to deployment clients splunkd as a deployment client splunkd as deployment server enabled by default NOT enabled by default NOT enabled by default, SSL is not recommended, use Pass4SymmKey instead configuration data
Distributed search splunkd as search peer splunkd as a search head Enabled by default NOT enabled by default NOT enabled by default, SSL is not recommended, use Pass4SymmKey instead search data
Search head clusters splunkd as cluster members splunkd as cluster members Enabled by default NOT enabled by default NOT enabled by default, SSL is not recommended, use Pass4SymmKey instead cluster data
Search head cluster deployer splunkd as cluster members splunkd as cluster deployer Enabled by default NOT enabled by default NOT enabled by default, SSL is not recommended, use Pass4SymmKey instead configuration data
Indexer cluster peer nodes splunkd as indexer cluster peer nodes splunkd as indexer cluster peer nodes Enabled by default NOT enabled by default NOT enabled by default, SSL is not recommended, use Pass4SymmKey instead replication data
Indexer cluster master splunkd as peer and search head nodes splunkd as a master node Enabled by default NOT enabled by default NOT enabled by default, SSL is not recommended, use Pass4SymmKey instead cluster data

Communications between the browser and Splunk Web

Browser to Splunk Web data most commonly consists of search requests and returned data.

Data encryption (HTTPS) can be easily turned on using Splunk Web, or by editing the configuration files. Keep in mind that encryption with the default certificate protects against casual listening but is not fully secure.

For better security, replace the default certificates with certificates signed by a trusted CA. We strongly recommend using CA certs rather than signing your own in this case. Unless you have the ability to add your CA to the certificate stores in every browser that will access Splunk Web, a self-signed certificate is considered untrusted by users' browsers. For more information, see "About securing Splunk Web."

Splunk forwarders to indexers

Data sent from forwarders to indexers is the data that your indexers use for searches and reports. Depending upon your organization and the nature and format of the data being transmitted and Splunk configuration, this data may or may not be readable or sensitive.

Securing sensitive raw data helps to avoid snooping and man-in-the-middle attacks.

You can turn on SSL encryption using the default certificate to provide encryption and compression. However, communication using the default certificate does not provide secure authentication, as the certificate password is supplied with every installation of Splunk software. The default certificates are set to expire three years after initial startup, and forwarder to indexer communications will fail at this point.

For better security, require certificate authentication using a self- or CA-signed certificate. A certificate signed by a known and mutually trusted Certificate Authority is considered more secure by outside parties than a certificate you sign yourself. For more information about using certificates with Splunk forwarders and indexers, see "About securing data from forwarders."

Other SSL communications

Other Splunk communications happen between different instances of Splunk software over the management port, usually but not always in a distributed environment. An example of this is configuration data sent by a deployment server to clients. This type of SSL encryption is enabled by default. For most configurations this is adequate and is the recommended security method. However, if you do need to secure your communications with SSL authentication, we've provided some guidelines to help you in "About securing Splunk to Splunk communication" in this manual.

To learn about more ways to use TLS certificates, see the following topics:


Getting your certificates

If you are experienced with SSL certificates, you can create them as you normally would and go straight to configuring your Splunk instances to use them.

If you need help getting your certificates together, we've provided very simple examples using OpenSSL commands. (OpenSSL ships with Splunk software)

What to do when you have your certificates

The following topics provide more information about configuring Splunk software to use your certificates once you have them:

PREVIOUS
Use the getSearchFilter function to filter at search time
  NEXT
About using SSL tools on Windows and Linux

This documentation applies to the following versions of Splunk® Enterprise: 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18, 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.1.0, 7.1.1, 7.1.2, 7.1.3


Comments

The table of the default SSL settings describes as follows:
- 4th type ("Deployment server to indexers")
Client function: splunkd as a forwarder
Server function: splunkd as an indexer
- 5th type ("Inter-Splunk communication")
Client function: splunkd as a deployment client
Server function: splunkd as deployment server

Is the above description correct?
* It seems that the 4th type describes about "Forwarding" (not "Deployment server to indexers").
* It seems that the 5th type describes about "Deployment server to indexers".

Parkyongsu
June 26, 2017

The windows forwarder installer is a bit misleading regarding encryption being on by default for forwarded data. The installer states when going through custom install "If the following information is not provided, forwarded Splunk data will still be encrypted with the default Splunk certificate."
http://imgur.com/a9X5VrD

I have had at least 3 clients assume this means it is on by default but after inspection of outputs.conf after install no such configuration is in place. There is mention at the end of the install but it the end user never checked because they assumed encryption was on,
http://imgur.com/a9X5VrD

Just thought I would let you know that many of your customers are being a bit mislead by the installer.

Phoenixdigital
February 24, 2016

You are right, thanks for catching that! I've made the fix in the documentation. <br /><br />Cheers,<br />jen

Jworthington splunk
February 3, 2014

I believe the last sentence under "Splunk forwarders to indexers" should say: "For more information about using certificates with Splunk Forwarders to Indexers communication", not "Web".

Xzjc3q
February 3, 2014

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters