Use SSL to encrypt and authenticate data from forwarders
The communication between forwarder and receiver can use SSL authentication and encryption, or just SSL encryption.
To enable SSL, edit each forwarder's
outputs.conf file and each receiver's
Enable SSL on the forwarder
You enable SSL in the forwarder's outputs.conf file. If you are using SSL just for encryption, you can set SSL attributes at any stanza level: default (
tcpout), target group, or server. If you are also using SSL for authentication, you must specify SSL attributes at the server level. Each receiving server needs a stanza that specifies its certificate names.
For detailed guidance on configuring
outputs.conf, including its stanza levels, see "Configure forwarders with outputs.conf" in the Distributed Deployment manual.
This table describes the set of SSL attributes in
|sslCertPath||Full path to client certificate file.|
|sslPassword||Password for the certificate. Default is "password".|
|sslRootCAPath||Path to root certificate authority file.|
|sslVerifyServerCert|| Set to true or false. Default is "false", which enables SSL for encryption only. If set to "true", the forwarder will determine whether the receiving server is authenticated, checking |
|sslCommonNameToCheck|| Server's common name. Set only if |
|sslAltNameToCheck|| Server's alternate name. Set only if |
Set SSL for encryption only
Add attribute/value pairs at the appropriate stanza level. Here, the attributes are specified at the
tcpout level, so they set the SSL defaults for this forwarder:
[tcpout] sslCertPath=<full path to client certificate> sslPassword=<password for cert> sslRootCAPath=<optional path to root certificate authority file> sslVerifyServerCert=false
Set up SSL for encryption and authentication
You must enable authentication at the server level of stanza, since each receiving server must have its own certificate:
[tcpout-server://<ip address>:<port>] sslCertPath=<full path to client certificate> sslPassword=<password for cert> sslRootCAPath=<optional path to root certificate authority file> sslVerifyServerCert=true sslCommonNameToCheck=<server's common name> sslAltNameToCheck=<server's alternate name>
You need to create a stanza for each receiver that the forwarder authenticates with.
Enable SSL on the receiver
You enable SSL in the receiver's inputs.conf file. This involves two steps:
- Add an
- Add listener stanzas for each port listening for SSL data.
Configure the [SSL] stanza
This table describes the attributes for the
|serverCert||Full path to server certificate file.|
|password||Password for the certificate, if any. If no password, leave blank or unset.|
|rootCA||Path to the root certificate authority file.|
|dhfile|| Path to the |
|requireClientCert||Set to true or false. Default is "false". If set to "true", the receiver will require a valid certificate from the client to complete the connection.|
Here's how it looks:
[SSL] serverCert=<path to server certificate> password=<server certificate password> rootCA=<certificate authority list> dhfile=<optional path to dhfile.pem> requireClientCert=<true|false> - set to "true" if authenticating
Configure the listener stanzas
You need to add stanzas for each port the receiver will be listening to SSL data on.
For cooked, encrypted data coming from a forwarder, use this stanza:
port must correspond to the port specified by the forwarder in
For raw, encrypted data coming from either a forwarder or a third-party system, use this stanza instead:
Example SSL configuration
This example shows a configuration that sets up SSL encryption only (no authentication).
Edit the forwarder's
[tcpout] defaultGroup = ssl_group.domain.com_9996 [tcpout:ssl_group.domain.com_9996] server = 10.1.5.148:9996 [tcpout-server://10.1.5.148:9996] sslCertPath=$SPLUNK_HOME/etc/auth/server.pem sslPassword=password sslRootCAPath=$SPLUNK_HOME/etc/auth/ca.pem sslVerifyServerCert=false
Edit the receiver's
[SSL] serverCert=$SPLUNK_HOME/etc/auth/server.pem password=password rootCA=$SPLUNK_HOME/etc/auth/cacert.pem requireClientCert=false [splunktcp-ssl:9996]
For more information
For detailed procedures that illustrate various scenarios for using SSL with forwarding and receiving, see
Use SSL for secure intra-Splunk communication
Configure archive signing
This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7