Splunk® Enterprise

Managing Indexers and Clusters of Indexers

Acrobat logo Download manual as PDF

Splunk Enterprise version 7.3 is no longer supported as of October 22, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

SmartStore security strategies

SmartStore security strategies vary according to the type of remote storage service. This topic covers security when using S3 as the remote storage service.

Authenticate with the remote storage service

If the indexer or indexer cluster is running on EC2, use the access and secret keys from its IAM role.

If the indexer or indexer cluster is not running on EC2, use hardcoded keys in indexes.conf. These are the relevant settings for hardcoding the S3 keys:

  • remote.s3.access_key. Specifies the access key to use when authenticating with the remote storage system.
  • remote.s3.secret_key. Specifies the secret key to use when authenticating with the remote storage system.
  • remote.s3.endpoint. Specifies the URL of the remote storage system. This setting tells the indexer where to go for S3 authentication. Use the value for the S3 bucket region. For example, https://s3-us-west-2.amazonaws.com.

For more information on these attributes, see the indexes.conf spec file.

The credentials you use, whether from the IAM role or from indexes.conf, need permission to perform S3 operations. They also need permission to perform KMS operations, if you are encrypting data-at-rest on the remote store.

Manage SSL certifications for the remote store

The SSL certification settings vary according to the remote storage service type. This section provides information for managing SSL for an S3 remote store, using the settings provided in indexes.conf. For more details on any of these settings, as well as for information on additional S3-related SSL settings, see the indexes.conf spec file.

The S3 SSL settings are overlaid on the sslConfig stanza in server.conf, except for sslVerifyServerCert, sslAltNameToCheck, and sslCommonNameToCheck. Therefore, if you run into issues, consult the server.conf SSL settings, in addition to the remote-storage-specific settings.

Specify SSL settings on a per-remote-volume basis.

The following table includes common attributes and their recommended values.

SSL setting Description Recommended value
remote.s3.sslVerifyServerCert Specifies whether to check the server cert provided by the S3 endpoint. true
remote.s3.sslVersions The SSL version to use. tls1.2
remote.s3.sslAltNameToCheck List of alternative names in the certificate presented by the server to match against. For example, s3.<region>.amazonaws.com. N/A
remote.s3.sslRootCAPath Absolute path to the PEM format file containing list of root certificates. N/A
remote.s3.cipherSuite Ciphers to use to connect with S3. Check with your security experts. Here is an example of the type of value to enter for this attribute:


remote.s3.ecdhCurves ECDH curves to send. Check with your security experts. Here is an example of the type of value to enter for this attribute:

prime256v1, secp384r1, secp521r1

Encrypt the data on the remote store

SmartStore supports server-side encryption of data-at-rest on S3. SmartStore supports three encryption schemes through the remote.s3.encryption attribute in indexes.conf:

remote.s3.encryption = sse-s3 | sse-kms | sse-c | none 

The default is "none".

Configure this attribute on a per-volume basis.

The recommended method for encryption on the remote store is sse-c (server-side encryption with customer keys). This method avoids running into throttling issues from KMS.

Choosing the encryption method is a one-time decision. You cannot change the encryption method later.

See the indexes.conf spec file for detailed information on each of these settings. Also, read the Amazon documentation for configuring server-side encryption.

Encryption occurs at the time of data upload. When you configure encryption for the remote volume, you do not cause data already on the volume to be encrypted.

If you disable encryption, you do not cause existing encrypted data to be decrypted. Any encrypted data becomes unusable, because Splunk Enterprise cannot decrypt it.

Encryption with sse-c

Here is an example of setting server-side encryption with customer keys:

remote.s3.encryption = sse-c
remote.s3.encryption.sse-c.key_type = kms 
remote.s3.encryption.sse-c.key_refresh_interval = 86400
// 86400 equals 24 hours. This is the default and recommended value. The minimum value is 3600. 
// Setting a very low value can degrade performance.
remote.s3.kms.auth_region = <aws_region>
remote.s3.kms.key_id = <kms_keyid> 
// The kms_keyid must be a unique key ID, the Amazon Resource Name (ARN) of the CMK, 
// or the name or ARN of an alias that points to the CMK. 

// SSL settings for KMS communication
remote.s3.kms.sslVerifyServerCert = true
remote.s3.kms.sslVersions = tls1.2
remote.s3.kms.sslAltNameToCheck = kms.<aws_region>.amazonaws.com
remote.s3.kms.sslRootCAPath = $SPLUNK_HOME/etc/auth/kms_rootcert.pem  
remote.s3.kms.ecdhCurves = prime256v1, secp384r1, secp521r1

Encryption with sse-s3

Here is an example of setting server-side encryption with AES256:

remote.s3.encryption = sse-s3 

Encryption with sse-kms

Here is an example of setting server-side encryption with KMS-managed keys:

remote.s3.encryption = sse-kms
remote.s3.kms.key_id = <kms_keyid> 
Last modified on 07 May, 2021
Choose the storage location for each index
Deploy SmartStore on a new indexer cluster

This documentation applies to the following versions of Splunk® Enterprise: 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters