Splunk Stream

Installation and Configuration Manual

This documentation does not apply to the most recent version of Splunk Stream. For documentation on the most recent version, go to the latest release.

Add SSL keys to use for decryption

You can use a SSL private key to decrypt data captured by Splunk_TA_stream, provided that the data is encrypted using an RSA cipher that uses the same private key.

By default, some web servers can negotiate session ciphers that do not use RSA private keys. These ephemeral key exchange protocols (such as Diffie-Hellman) make it impossible for any passive observer to decrypt the traffic, and are therefore not supported by Stream.

To ensure that Stream is able to intercept all of your encrypted traffic, it might be necessary to disable support for ephemeral ciphers within your web server's configuration. This does not make your server any less secure, because the web server uses equally effective alternative ciphers for the connection.

Add SSL Private Key

1. Go to http://localhost:8889 (replace localhost with the server name as appropriate).

The Stream Forwarder admin interface appears.

2. Click Edit SSL Keys.

The Edit SSL Keys dialog opens.

3. In the Name field, enter the unique name of your SSL key. In the Password field, enter the passphrase for your SSL key.

4. Copy and paste the contents of your PEM private key file into the space provided. Click Save key.

This updates the keystore.db file located in your $Splunk_Home/etc/apps/Splunk_TA_stream/local directory. The SSL keys in keystore.db are protected using an AES-256 cipher.

5. Restart streamfwd:

a. Go to Settings > Data Inputs.

b. Click on Wire Data.

c. Locate the "streamfwd" data input in the list. Click Disable and then Enable.

If you want to push your private key out to multiple forwarders, either copy your Splunk_TA_stream directory to your forwarders, or copy Splunk_TA_stream into $SPLUNK_HOME/etc/deployment-apps and use the deployment server to distribute the add-on.

Last modified on 21 May, 2015
Configure Stream forwarder   Use Streams Config UI

This documentation applies to the following versions of Splunk Stream: 6.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1, 6.2.0, 6.2.1, 6.2.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters