Topics

| pdf version

About the Splunk Admin Manual

How Splunk Works

Getting Started

Data Inputs

Data Distribution

Indexing

Timestamps

Fields

Hosts

Source Types

Event Types

Transaction Types

Search

Distributed Search

Alerts

Security

Data Management

Deployment Server

Performance Tuning

Configuration Files

Applications

Reference

Troubleshooting


Toolbox

Splunk > The IT Search Company

  • Search and navigate IT data from applications, servers and network devices in real-time.
  • Download Splunk

Localized Splunk documentation

Looking for Splunk documentation in other languages?

Documentation | Discussion | View source | History

Set up SSL for forwarding and receiving

This documentation does not apply to the most recent version of Splunk.

This documentation applies to the following versions of Splunk: 3.3 , 3.3.1 , 3.3.2 , 3.3.3 , 3.3.4 , 3.4 , 3.4.1 , 3.4.2 , 3.4.3 , 3.4.5 , 3.4.6 , 3.4.8 , 3.4.9 , 3.4.10 , 3.4.11 , 3.4.12 , 3.4.13

Set up SSL for forwarding and receiving

Each forwarder and receiver can be configured to use SSL. To set up SSL in inputs.conf for the receiver and outputs.conf for the forwarder. Use SSL for both authentication and encryption, or simply for encryption.

Note: SSL configurations for distributed data are separate from SSL/HTTPS configuration for Splunk Web.

Forwarder

To set up SSL on the forwarder, edit $SPLUNK_HOME/etc/system/local/outputs.conf. If you want to use SSL for authentication, add a stanza for each receiver that needs to be certified. 

[tcpout-server://$IP:$PORT]
sslCertPath=<full path to client certificate>
sslPassword=<password for cert>
sslRootCAPath=<optional path to root certificate authority file>
sslVerifyServerCert=<true|false>
sslCommonNameToCheck=<server's common name, set only if sslVerifyServerCert is set to true>
altCommonNameToCheck=<server's alternate name, set only if sslVerifyServerCert is set to true>

The sslCertPath key/value pair is used to specify the full path to the server certificate file.

  • sslRootCAPath
    • key/value pair is used to specify the local path to the root certificate authority file. Optional. Set if the root CA is local.
  • sslPassword
    • password for the certificate. Default sslPassword = password.

If set to true sslVerifyServerCert will make sure that the server you are connecting is a valid one (authenticated). Both the common name and the alternate name of the server are then checked for a match. Defaults to false.

sslCommonNameToCheck checks the common name of the server's certificate against this name. If there is no match, assume that we aren't authenticated against this server. You must specify this key/value pair if 'sslVerifyServerCert' is true.

altCommonNameToCheck checks the alternate name of the server's certificate against this name. If there is no match, assume that we aren't authenticated against this server. You must specify this key/value pair if 'sslVerifyServerCert' is true.

encryption only

To send with encryption only, configure your SSL stanza in $SPLUNK_HOME/etc/system/local/outputs.conf as follows: 

[tcpout-server://$IP:$PORT]
sslCertPath=/home/myhome/certs/foo.pem
sslPassword=password
sslRootCAPath=/home/myhome/certs/root.pem
sslVerifyServerCert=<false>

Note: you can set up the stanza only for a specific [tcpout-server://$IP:$PORT]. You cannot set up SSL for a server group or a default group.

encryption and authentication

To set up SSL for authentication as well as encryption, configure your SSL stanza in $SPLUNK_HOME/etc/system/local/outputs.conf as follows: 

[tcpout-server://$IP:$PORT]
sslCertPath=<full path to client certificate>
sslRootCAPath=<optional path to root certificate authority file>
sslVerifyServerCert=<true|false>
sslCommonNameToCheck=<server's common name, set only if sslVerifyServerCert is set to true>
altCommonNameToCheck=<server's alternate name, set only if sslVerifyServerCert is set to true>

Note: You will have to write a stanza for each unique outbound connection that authenticates via SSL.

Receiver

In order to use SSL for receiving you must include a stanza called [SSL] in $SPLUNK_HOME/etc/system/local/inputs.conf: 

[SSL]                                                                                                                                                                                                                                                                                       
serverCert=<full path to the server certificate>
password=<server certificate password, if any>
rootCA=<certificate authority list (root file)>
dhfile=<optional path to the dhfile.pem> 
requireClientCert=<true|false> - set to true if you are setting up authentication

The serverCert key/value pair is used to specify the path to the server certificate file.

password is used if the certificate uses a password. Optional.

The rootCA key/value pair is used to specifically the path to the root certificate authority file.

If you want the system to require a valid certificate from the client in order to complete the connection, set requireClientCert to 'true' otherwise set it to 'false'.

If you wish, you can use different certificates on different ports, thus allowing different sets of clients to connect to different ports.

configuration

You will also have to add a listener stanza in $SPLUNK_HOME/etc/system/local/inputs.conf: 

[splunktcp-ssl:9996]
queue=indexQueue

The above stanza will start a listener for another Splunk server's encrypted cooked data on port 9996. 

[tcp-ssl:9995]
queue=parsingQueue

The above stanza will start a listener for raw encrypted data on port 9995.

Retrieved from "http://www.splunk.com/base/Documentation/3.3.3/Admin/SetUpSSL"
Revision: 207 Contact Privacy Policy Terms of Use Community content licensed under Creative Commons

Copyright © 2005-2010 Splunk Inc. All rights reserved.