Splunk® Enterprise

Securing Splunk Enterprise

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Configure Splunk forwarding to use your own certificates

This topic describes how to send data from your forwarders to your indexers using your own SSL certificates. Using certificates to secure the data from forwarders helps ensure that your data is securely encrypted when in transit on your network. This topic describes the following steps:

  • Configure the indexer(s) to use a new signed certificate, as described in this topic.
  • Configure the forwarder(s) to use a new signed certificate, as described in this topic.

Before you begin, you must procure and prepare your certificates. Make sure your certificates are PEM files in x509 format and that your key is in RSA format. If you need help, we've provided a few simple examples to help you create and prepare your own certificates. See "About securing data from forwarders" and "About securing inter-Splunk communication" for more information.

You can also create multiple certificates (signed by the same CA ) with different common names and distribute those to your indexers for added security. When given the CA's public key, the forwarder trusts the CA and verifies the certificate of the CA and matches the sslCommonNameToCheck OR sslAltNameToCheck

Configure your indexer to use your certificates

1. Copy your server certificate and CA public certificate into an accessible folder on the indexer(s) you intend to configure. For example: $SPLUNK_HOME/etc/auth/mycerts/

Warning: If you configure inputs.conf or outputs.conf in an app directory, the password is NOT encrypted and the clear-text value remains in the file. For this reason, you may prefer to create different certificates (signed by the same root CA) to use when configuring SSL in app directories.

2. Configure inputs.conf on the indexer(s) to use the new server certificate. In $SPLUNK_HOME/etc/system/local/inputs.conf (or in the appropriate directory of any app you are using to distribute your forwarding configuration), set up the [SSL] stanzas:

[SSL]
rootCA = $SPLUNK_HOME/etc/auth/mycacert.pem <The public CA of the same CA that issued the forwarder's certificate>
serverCert = $SPLUNK_HOME/etc/auth/myservercert.pem <the certificate issued by customer-generated CA>
requireClientCert = false
compressed = false <this attribute must be the same value as the attribute on the forwarder>
[splunktcp-ssl:9996]

When you edit the file in $SPLUNK_HOME/etc/system/local/inputs.conf, Splunk software encrypts the password and overwrites the clear-text server certificate password that you provided when you restarted Splunk Enterprise.

Note: We do not recommend that you disable tls compression, as it can cause bandwidth issues.

3. Restart splunkd.

# $SPLUNK_HOME/bin/splunk restart splunkd

Configure your forwarders to use your certificates

1. Generate a new certificate (ie. client.pem) and copy the new certificate and the CA public certificate myCACertificate.pem into an accessible folder on the forwarders you plan to configure. For this example, we are placing them in $SPLUNK_HOME/etc/auth/mycerts/.

Warning: If you configure inputs.conf or outputs.conf in an app directory, the password is NOT encrypted and the clear-text value remains in the file. For this reason, you may prefer to create different certificates (signed by the same root CA) to use when configuring SSL in app directories.

2. Define the [SSL] stanza in $SPLUNK_HOME/etc/system/local/outputs.conf (or in the appropriate directory of any app you are using to distribute your forwarding configuration):

[tcpout:splunkssl]
compressed = false
disabled = false
server = indexer:9997
sslCommonNameToCheck = indexercn.example.org
sslCertPath = $SPLUNK_HOME/etc/auth/client.pem
sslRootCAPath: $SPLUNK_HOME/etc/auth/...sslVerifyServerCert = true

Note that when you save the file in $SPLUNK_HOME/etc/system/local/outputs.conf, Splunk encrypts and overwrites the clear-text server certificate password when splunkd restarts.

3. Restart splunkd.

# $SPLUNK_HOME/bin/splunk restart splunkd

Other configuration options

To forward data to more than one indexer

To configure a forwarder to authenticate to multiple indexers, simply add their HOST:PORT address as a comma-separated list in the "server" configuration parameter of the target group definition stanza.

The following example uses the same certificate for the indexer and the forwarders:

[tcpout]
defaultGroup = splunkssl

[tcpout:splunkssl]
server = 10.1.12.112:9997,10.1.12.111:9999
compressed = false
disabled = false
server = indexer:9997
sslCommonNameToCheck = indexercn.example.org
sslCertPath = $SPLUNK_HOME/etc/auth/client.pem
sslRootCAPath = $SPLUNK_HOME/etc/auth/mycacert.pem <The public certificate of the same CA that issued the indexer's certificate>
sslVerifyServerCert = true

To forward data to multiple indexers using certificates with different common names

You can create and configure one server certificate for each indexer by configuring the forwarder's outputs.conf with one server-specific [SSLConfig] stanza per indexer.

If you have created one server certificate per indexer and you have set a unique sslCommonNameToCheck OR sslAltNameToCheck in each indexer certificate to be checked by the forwarders, you will need to configure one [tcpout-server://HOST:PORT] configuration stanza per indexer in outputs.conf. This is so that you can specify which name to check for which indexer.

Next steps

Next, you should check your connection to make sure your configuration works. See "Validate your configuration" for more information.

PREVIOUS
Configure Splunk forwarding to use the default certificate
  NEXT
Validate your configuration

This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14


Comments

Mikesangray,

I think we discourage wildcard certs simply as a best practice, but they may work. You might ask answers if anyone has tried it? Meanwhile I will talk with our security guys to see if this is something we can encourage or at least describe in the rewrite I am currently working on.

Jworthington splunk, Splunker
March 22, 2016

Derrierdominique, per my testing and past QA confirmation, the private key password is required on the client side in this configuration. I'm in the process of rewrites/reorg for this content, so I can dig back into that and see the if and why of the current situation and get back to you. Hope that helps.

Jworthington splunk, Splunker
March 22, 2016

What about wildcard certs? It will be very cumbersome to manage forwarder certs when the number of forwarders gets into the double and triple digits and beyond.

Mikesangray
March 21, 2016

I don't understood why the server's private key in needed on clients side.

Derrierdominique
March 11, 2016

I have just tried to set the password inside an App and it does now get encrypted ( v 6.2.1 )

Mzorzi
January 12, 2015

Hi Adaniel8 -<br /><br />These tasks should work for both types of forwarders. <br /><br />Cheers,<br />Jen

Jworthington splunk
October 23, 2014

Hi Nelissen -<br /><br />Yeah, the compressed attribute is not relevant here, I've removed it. Thanks for pointing this out!

Jworthington splunk
October 23, 2014

Hi Rturk -<br /><br />You are correct, the password is encrypted upon restart. I've updated the documentation accordingly.

Jworthington splunk
October 23, 2014

Hi,<br /><br />Can SSL configuration be applied on Splunk Universal Forwarders? I am aware that it was only available on Splunk Heavy Forwarders in the past.

Adaniel8
October 22, 2014

Isn't compressed = true only for non-SSL connections? SSL automaticly compresses the packets.

Nelissen
April 15, 2014

RE: "Note that when you save the file in $SPLUNK_HOME/etc/system/local/inputs.conf the Splunk hashes and overwrites the clear-text server certificate password you provided.", the hashing of the password takes place after you restart the splunkd process, not when you save the file. Same applies for the outputs.conf option on the Forwarder - Just FYI ;-)

Rturk
August 26, 2013

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters