Review your system security
Splunk software ships with a set of default certificates. The default certificates are generated and configured at startup and can be found in $SPLUNK_HOME/etc/auth/. Splunk recommends that administrators replace these default certificates with self- or third-party-signed certificates.
The following table describes the most common scenarios and the default SSL settings.
| Type of exchange | Client function | Server function | Encryption | Certificate Authentication | Common Name checking | Type of data exchanged |
|---|---|---|---|---|---|---|
| Browser to Splunk Web | Browser | Splunk Web | NOT enabled by default | dictated by client (browser) | dictated by client (browser) | search term results |
| Inter-Splunk communication | Splunk Web | splunkd
|
enabled by default | NOT enabled by default | NOT enabled by default | search term results |
| Forwarding | splunkd as a forwarder
|
splunkd as an indexer
|
NOT enabled by default | NOT enabled by default | NOT enabled by default | data to be indexed |
| Deployment server to indexers | splunkd as a forwarder
|
splunkd as an indexer
|
NOT enabled by default | NOT enabled by default | NOT enabled by default | Not recommended. Use Pass4SymmKey instead. |
| Inter-Splunk communication | splunkd as a deployment client
|
splunkd as deployment server
|
enabled by default | NOT enabled by default | NOT enabled by default | configuration data |
| Inter-Splunk communication | splunkd as a search head
|
splunkd as search peer
|
Enabled by default | NOT enabled by default | NOT enabled by default | search data |
Verify your SSL configurations
Splunk Web
Use the following command to verify your SSL connections in Splunk Web:
index=_internal source=*metrics.log* group=tcpin_connections | dedup hostname | table _time hostname version sourceIp destPort ssl
Indexer and forwarder
On the indexer, look for the following or similar messages at the start-up sequence to verify a successful connection:
02-06-2011 19:19:01.552 INFO TcpInputProc - using queueSize 1000 02-06-2011 19:19:01.552 INFO TcpInputProc - SSL cipherSuite=ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM 02-06-2011 19:19:01.552 INFO TcpInputProc - supporting SSL v2/v3 02-06-2011 19:19:01.555 INFO TcpInputProc - port 9997 is reserved for splunk 2 splunk (SSL) 02-06-2011 19:19:01.555 INFO TcpInputProc - Port 9997 is compressed 02-06-2011 19:19:01.556 INFO TcpInputProc - Registering metrics callback for: tcpin_connections
On the forwarder, look for the following or similar messages at the start-up sequence to verify a successful connection:
02-06-2011 19:06:10.844 INFO TcpOutputProc - Retrieving configuration from properties 02-06-2011 19:06:10.850 INFO TcpOutputProc - Using SSL for server 10.1.12.112:9997, clientCert=/opt/splunk/etc/aut/server.pem 02-06-2011 19:06:10.854 INFO TcpOutputProc - ALL Connections will use SSL with sslCipher= 02-06-2011 19:06:10.859 INFO TcpOutputProc - initializing single connection with retry strategy for 10.1.12.112:9997
Following is how a successful connection might appear in splunkd.log on the indexer:
02-06-2011 19:19:09.848 INFO TcpInputProc - Connection in cooked mode from 10.1.12.111 02-06-2011 19:19:09.854 INFO TcpInputProc - Valid signature found 02-06-2011 19:19:09.854 INFO TcpInputProc - Connection accepted from 10.1.12.111
Following is how a successful connection might appear in splunkd.log on the forwarder:
02-06-2011 19:19:09.927 INFO TcpOutputProc - attempting to connect to 10.1.12.112:9997... 02-06-2011 19:19:09.936 INFO TcpOutputProc - Connected to 10.1.12.112:9997
About securing distributed environments
Communication between search heads and peers uses public-key encryption.
At startup, Splunk software generates a private key and a public key on your Splunk installation. When you configure distributed search on the search head, the public keys are distributed by search heads to peers and those keys are used to secure communication. This default configuration provides built-in encryption as well as data compression that improves performance. See Distribute the key files in the Distributed Search Manual.
Public-key encryption for securing distributed configurations. However, it is possible to configure SSL for a search head cluster by configuring each member of the search head cluster. You can determine if your deployment has each member of the search head cluster configured for SSL by checking the attribute requireClientCert in server.conf. See Secure your deployment server and clients using certificate authentication in Securing Splunk Enterprise.
Encryption with the splunk.secret key
The splunk.secret file contains a key that collects and encrypts some of your authentication information in configuration files:
web.conf: SSL passwords on every instanceauthentication.conf: LDAP passwords, if you have anyinputs.conf: SSL passwords, if you usesplunktcp-ssloutputs.conf: SSL passwords, if you usesplunktcp-sslserver.conf: pass4symmkey, if you have one
At initial startup, Splunk Enterprise creates this file at $SPLUNK_HOME/etc/auth/. Any passwords you create in the above list are stored in this file. If you manually add any unencrypted passwords, Splunk software will overwrite those passwords upon startup.
More information
| Users, roles, and authentication | Learn about licensing |
This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12
Download manual
Feedback submitted, thanks!