Configure Splunk forwarding to use your own certificates
You can send data from forwarders to indexers using your own certificates. You can either self-sign these certificates or use a third party to sign them. Using your own certificates to secure Splunk communications involves the following procedures:
- Configuring indexers to use a new signed certificate.
- Configuring forwarders to use a new signed certificate.
Before you can secure communications between Splunk indexers and forwarders, you must procure and prepare the certificates. You must satisfy the following conditions:
- The certificates that you procure are Privacy-Enhanced Mail (.pem) files, and that the format of those files conforms with the x.509 public key certificate standard.
- The certificate key must be in RSA security format.
You can also create multiple certificates that are signed by the same Certificate Authority (CA) with different common names, and distribute those to your indexers for added security. When you give the forwarder the CA public key, the forwarder trusts the CA, verifies the certificate of the CA, and matches one of the SSL common names or alternative names, as configured by either the
sslAltNameToCheck settings in the forwarder configuration file.
If you need help on creating and preparing your own certificates, see the following topics for more information:
Configure indexers to use a signed certificates
- Copy your server certificate and CA public certificate into an accessible folder on the indexer you want to configure. For example, you can use a destination folder of
If you configure the
outputs.confconfiguration files in an app directory, the indexer does not encrypt the password, and the clear-text value remains in the file. You might want to create different certificates and sign them with the same root CA for use when you configure SSL in app directories.
- Configure the
inputs.conffile on the indexer to use the new server certificate. Add the following stanzas to
$SPLUNK_HOME/etc/system/local/inputs.conf(or the appropriate directory of any app you are using to distribute your forwarding configuration), stanzas:
[splunktcp-ssl:9997] disabled=0 [SSL] serverCert = <Absolute path to the certificate. The default certificate can be found at $SPLUNK_HOME/etc/auth/> sslPassword (Optional) = <password associated with the server certificate, if it exists> requireClientCert = "true" if you want your indexer to require authentication from the client (which in this case is the forwarder), "false" otherwise sslVersions (Optional) = <string of accepted password SSL versions. Default: the recommended setting of "*,-ssl2", which is anything newer than SSLv2.> cipherSuite (Optional) = <cipher suite string. If not set, the indexer uses the default cipher string> sslCommonNameToCheck (Optional) = <commonName1>, <commonName2>, ... If provided, the indexer checks the common name of the client certificate against this list of names. If there is no match the Splunk instance is not authenticated. You must set the 'requireClientCert' setting to "true" to use this setting. sslAltNameToCheck (Optional) = <alternateName1>, <alternateName2>, ... If provided, the indexer checks the alternate name of the client certificate against this list of names. If there is no match the Splunk instance is not authenticated. requireClientCert setting must be set to "true" to use this setting.
When you edit the configuration file in
$SPLUNK_HOME/etc/system/local/inputs.conf, the indexer encrypts the password and overwrites the clear-text server certificate password that you provided when you restarted Splunk Enterprise.
- On indexers that do not run on Windows, configure
server.confand add the following:
sslRootCAPath = <Absolute path to the CA certificate. The default value is $SPLUNK_HOME/etc/auth/cacert.pem>
- Restart the splunkd process:
# $SPLUNK_HOME/bin/splunk restart splunkd
Configure forwarders to use a signed certificate
- Generate a new certificate (for example,
- Copy the new certificate and the CA public certificate
myCACertificate.peminto an accessible folder on the forwarders you want to configure. For example, you can use a destination folder of
If you configure
outputs.confin an app directory, the forwarder does not encrypt the passwords and the clear-text value remains in the file. You might want to create different certificates (signed by the same root CA) to use when configuring SSL in app directories.
- Define the
$SPLUNK_HOME/etc/system/local/outputs.conf(or in the appropriate directory of any app you use to distribute your forwarding configuration):
[tcpout:group1] server=10.1.1.197:9997 disabled = 0 clientCert = <The full path to the client SSL certificate, in PEM format. If this value is provided, the connection will use SSL.> useClientSSLCompression = true (Disabling TLS compression can cause bandwidth issues.) sslPassword (Optional) = <password for the client certificate> sslCommonNameToCheck (Optional) = <commonName1>, <commonName2>, ... sslVerifyServerCert (Optional) = "true" if you want to use SSL common name checking. Default: No common name checking. sslAltNameToCheck (Optional) = <alternateName1>, <alternateName2>, ... cipherSuite = (Optional) Splunk uses any specified cipher string for the input processors. If not set, Splunk uses the default cipher string provided by OpenSSL.
When you save the file in
$SPLUNK_HOME/etc/system/local/outputs.conf, Splunk Enterprise encrypts and overwrites the clear-text server certificate password on restart.
- On forwarders that do not run on Windows, configure
server.confand add the following:
[sslConfig] sslRootCAPath = <absolute path to the CA cert, for example, the default value is $SPLUNK_HOME/etc/auth/cacert.pem>
- Restart the splunkd process.
$SPLUNK_HOME/bin/splunk restart splunkd
Forward data over SSL to more than one indexer
If you need to forward data securely to multiple indexers, complete the following procedure:
- On the forwarder where you want to send data to multiple indexers, edit
outputs.confon the forwarder.
- In the target output group definition stanza for the forwarder, add a
host:portentry for each indexer to which you want to send data over SSL. Separate multiple entries with commas.
- Save the
outputs.conffile and close it.
- Restart the forwarder.
The following example
outputs.conf file uses the same certificate for the indexer and the forwarders:
[tcpout] [tcpout:group1] server = 10.1.12.112:9997,10.1.12.111:9999 disabled = 0 clientCert = $SPLUNK_HOME/etc/auth/client.pem useClientSSLCompression = true Defaults to the value set in the useClientSSLCompression attribute set in server.conf. sslPassword = <password for the client certificate> sslCommonNameToCheck = indexercn.example.org sslVerifyServerCert = true
Forward data to multiple indexers using certificates with different common names
You can create and configure one server certificate for each indexer by configuring
outputs.conf on the forwarder with one server-specific [SSLConfig] stanza for each indexer.
If you have created one server certificate for each indexer and you have set a unique
sslAltNameToCheck in each indexer certificate to be checked by the forwarders, you must configure one
[tcpout-server://host:port] configuration stanza for each indexer in outputs.conf. This is so that you can specify which name to check for each indexer.
Check the forwarder-indexer configuration to make sure it works. See Validate your configuration.
Configure Splunk forwarding to use the default certificate
Validate your configuration
This documentation applies to the following versions of Splunk® Enterprise: 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.1.0