Use SSL keys for decryption on forwarders
You can use an SSL private key to decrypt data captured by Splunk Stream Forwarder.
To do this, your data must be encrypted using an RSA cipher that uses the same private key.
Some web servers negotiate session ciphers that do not use RSA private keys. These ephemeral key exchange protocols (such as Diffie-Hellman) make it impossible for any passive observer to decrypt the traffic, and are therefore not supported by Splunk Stream.
To ensure that Splunk Stream can intercept all of your encrypted traffic, you can disable support for ephemeral ciphers on your web server. Once you configure SSL, your web server will use equally effective alternative ciphers for the connection.
Add SSL Private Key
- Confirm that your SSL key is a PEM private key file.
-----BEGIN ENCRYPTED PRIVATE KEY----- MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIS2qgprFqPxECAggA MBQGCCqGSIb3DQMHBAgD1kGN4ZslJgSCBMi1xk9jhlPxP3FyaMIUq8QmckXCs3Sa 9g73NQbtqZwI+9X5OhpSg/2ALxlCCjbqvzgSu8gfFZ4yo+Xd8VucZDmDSpzZGDod A .... MANY LINES LIKE THAT .... .... MANY LINES LIKE THAT .... X0R+meOaudPTBxoSgCCM51poFgaqt4l6VlTN4FRpj+c/WZeoMM/BVXO+nayuIMyH blK948UAda/bWVmZjXfY4Tztah0CuqlAldOQBzu8TwE7WDwo5S7lo5u0EXEoqCCq H0ga/iLNvWYexG7FHLRiq5hTj0g9mUPEbeTXuPtOkTEb/0ckVE2iZH9l7g5edmUZ GEs= -----END ENCRYPTED PRIVATE KEY-----
- Go to
$SPLUNK_HOME/etc/apps/Splunk_TA_stream/linux_x86_64/bin
. - Use the
streamfwd --addsslkey
command to add the PEM private key file:./streamfwd --addsslkey <key_name> <pem_file> <password>
$SPLUNK_HOME/etc/apps/Splunk_TA_stream/local/keystore.db
.keystore.db
protects SSL keys using an AES-256 cipher. - Restart streamfwd:
- Navigate to Settings > Data Inputs.
- Click Wire Data.
- Locate the
streamfwd
data input. Click Disable then click Enable.
Note: If you want to push your private key out to multiple forwarders, either copy your Splunk_TA_stream
directory to your forwarders, or copy Splunk_TA_stream
into $SPLUNK_HOME/etc/deployment-apps
and use the deployment server to distribute the add-on.
Convert PFX files to PEM files
Windows servers often use .pfx
files instead of .pem
files. You can convert .pfx
files to .pem
files using this openSSL
command:
openssl pkcs12 -in CUSTOMERSKEY.pfx -nocerts -out KEYFORSTREAM.pem -nodes</code>
Manage data configuration for Stream forwarders | Ingest PCAP files |
This documentation applies to the following versions of Splunk Stream™: 7.3.0, 7.4.0, 8.0.0
Feedback submitted, thanks!