![]() ![]() $SPLUNK_HOME/bin/splunk cmd openssl req -new -key myServerPrivateKey.key -out myServerCertificate.csr Generate and sign a new server certificate $SPLUNK_HOME/bin/splunk cmd openssl genrsa -aes256 -out myServerPrivateKey.key 2048 Generate a key for your server certificate $SPLUNK_HOME/bin/splunk cmd openssl x509 -req -in m圜ACertificate.csr -sha512 -signkey m圜APrivateKey.key -CAcreateserial -out m圜ACertificate.pem -days 2048 $SPLUNK_HOME/bin/splunk cmd openssl req -new -key m圜APrivateKey.key -out m圜ACertificate.csr $SPLUNK_HOME/bin/splunk cmd openssl genrsa -aes256 -out m圜APrivateKey.key 2048 Generate a private key for your root certificate Next we need to get the Heavy Forwarder set up to receive encrypted traffic from the Universal Forwarder.Ĭreate a new directory for your certificates You can test if your HF is communicating with Splunk Cloud by running a search for your HF internal logs from the Splunk Cloud Search Head.(Remember, if you need this app on multiple HF's then make sure the password is the unencrypted raw password, as the encrypted password is tied to the HF instance. This will encrypt the password in the app. You will need to restart the Heavy Forwarder (HF) to get it working. Untar the file (tar -xvf splunkclouduf.spl) and put the resulting app ( 100_splunkcloud)into $SPLUNK_HOME/etc/apps. (These configs will also work for the Heavy Forwarder. Click on the 'Download Universal Forwarder Credentials' button. ![]() Log into Splunk Cloud and click on the Universal Forwarder app on the left had side menu.Below we will step through this process.įirst we will set up the Heavy Forwarder to Splunk Cloud communication. The process to set this up is pretty straight forward but there are a few key configurations that are vital in order to get it working as expected. Hopefully the below steps can help you if you need to perform similar tasks. It can become tricky as the Heavy Forward receives encrypted traffic, needs to decrypt it using one set of certs, then re-encrypt it and send to Splunk Cloud using the Splunk provided certs. In the below example however, we will outline the steps required if you need to also encrypt data between the Universal Forwarder and the intermediate Heavy Forwarder. Splunk provides a cert for communicating with Splunk Cloud and it is well documented on how to set up this integration. In most cases, log data and other metrics are unencrypted while on-prem and only encrypted as they exits your environment and travel across the internet (on port 9997 or 443) to Splunk Cloud. There maybe certain use-cases where you require end-to-end encryption of data as it traverses from source to destination, in our case from our Splunk Universal Forwarder to Splunk Cloud via an on-prem Splunk Heavy Forwarder. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |