Review security configurations and certificates

After you identify how Splunk users log into your deployment and what they can see when they log in, the next option is to identify how Splunk Web and the instances on your deployment have been secured.

Splunk software ships with a set of default TLS certificates. The software generates and configures these certificates at startup and places them in the $SPLUNK_HOME/etc/auth/ directory on each Splunk Enterprise instance. The default certificates offer some level of protection but are not nearly as secure as certificates that you create or obtain from a third party. Where possible, replace these certificates with self- or third-party-signed certificates.

To understand the relationship of encryption between individual Splunk Enterprise instances using the default TLS certificates that come with the product, see Table of most common encrypted Splunk Platform instance communication scenarios in Securing Splunk Enterprise.

Verify TLS configurations

You can determine how Splunk Enterprise is using TLS to connect to individual instances with the following procedures

Verify TLS connections to Splunk Web

Use the following Splunk search command to verify your TLS connections in Splunk Web:

index=_internal source=*metrics.log* group=tcpin_connections | dedup hostname | table _time hostname version sourceIp destPort ssl

Verify TLS connections between Indexers and forwarders

On an indexer, view the splunkd.log log file and look for the following or similar messages at the start-up sequence to verify a successful connection:

02-06-2011 19:19:01.552 INFO TcpInputProc - using queueSize 1000
02-06-2011 19:19:01.552 INFO TcpInputProc - SSL cipherSuite=ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
02-06-2011 19:19:01.552 INFO TcpInputProc - supporting SSL v2/v3
02-06-2011 19:19:01.555 INFO TcpInputProc - port 9997 is reserved for splunk 2 splunk (SSL)
02-06-2011 19:19:01.555 INFO TcpInputProc - Port 9997 is compressed
02-06-2011 19:19:01.556 INFO TcpInputProc - Registering metrics callback for: tcpin_connections

On a forwarder, look in the splunkd.log for the following or similar messages at the start-up sequence to verify a successful connection:

02-06-2011 19:06:10.844 INFO TcpOutputProc - Retrieving configuration from properties
02-06-2011 19:06:10.850 INFO TcpOutputProc - Using SSL for server 10.1.12.112:9997, clientCert=/opt/splunk/etc/aut/server.pem
02-06-2011 19:06:10.854 INFO TcpOutputProc - ALL Connections will use SSL with sslCipher=
02-06-2011 19:06:10.859 INFO TcpOutputProc - initializing single connection with retry strategy for 10.1.12.112:9997

Following is how a successful connection might appear in splunkd.log on an indexer:

02-06-2011 19:19:09.848 INFO TcpInputProc - Connection in cooked mode from 10.1.12.111
02-06-2011 19:19:09.854 INFO TcpInputProc - Valid signature found
02-06-2011 19:19:09.854 INFO TcpInputProc - Connection accepted from 10.1.12.111

Following is how a successful connection might appear in splunkd.log on a forwarder:

02-06-2011 19:19:09.927 INFO TcpOutputProc - attempting to connect to 10.1.12.112:9997...
02-06-2011 19:19:09.936 INFO TcpOutputProc - Connected to 10.1.12.112:9997

About securing distributed environments

Communication between search heads and peers uses public-key encryption.

At startup, Splunk software generates a private key and a public key on your Splunk Enterprise installation. When you configure distributed search on the search head, the search heads distribute those public keys to the peers and those keys are used to secure communication. This default configuration provides built-in encryption as well as data compression that improves performance. See Distribute the key files in the Distributed Search Manual.

Public-key encryption for securing distributed configurations. However, it is possible to configure SSL for a search head cluster by configuring each member of the search head cluster. You can determine if your deployment has each member of the search head cluster configured for SSL by checking the attribute requireClientCert in server.conf. See Secure your deployment server and clients using certificate authentication in Securing Splunk Enterprise.

Encryption with the splunk.secret key

The splunk.secret file contains a key that encrypts some of your authentication information in configuration files:

• web.conf: SSL passwords on every instance
• authentication.conf: LDAP passwords, if you have any
• inputs.conf: SSL passwords, if you use splunktcp-ssl
• outputs.conf: SSL passwords, if you use splunktcp-ssl
• server.conf: pass4symmkey, if you have one

At initial startup, Splunk Enterprise creates the splunk.secret file in the $SPLUNK_HOME/etc/auth/ directory. Any passwords that you create in the previous list of configuration files appear encrypted in this file. If you manually add any unencrypted passwords, Splunk software overwrites those passwords into this file upon startup.

More information

See the following topics for more information on securing your Splunk Enterprise deployment.

For an introduction to using TLS to secure your Splunk Enterprise instances:

• Introduction to securing the Splunk platform with TLS

For information on how to secure Splunk Web:

• About securing Splunk Web
• Secure Splunk Web with your own certificate

For information on how to secure connections between Splunk platform instances and processes:

• Secure distributed search heads and peers
• Secure your deployment search heads and clients

For information on how to secure connections between Splunk indexers and forwarders:

• Configure Splunk forwarding to use your own certificates