Looking for pointers on putting Cribl between Splunk UF and Indexer with TLS Encryption
hello All, As a cribl beginner, I am looking for resources/guide to achieve below --- I am trying to place Cribl between splunk UF and indexer with TLS encryption enabled. Any pointers/lead/direction will be highly appreciated. more details in thread below...
Answers
-
I am not currently facing any issue or error, rather i am trying to understand/preparing to deliver -- with what will be provided -- outputs.conf on UF and inputs.conf on the indexer
0 -
Do you wanna do mTLS or just TLS on the receiving side?
0 -
on the windows UF side, i must use `sslVerifyServerCert = true` in outputs.conf -- so i suppose mutual TLS is needed for this, right
0 -
Mutual means that the client (sending side) also needs to present a valid cert
0 -
In Splunk that's requireClientCert
0 -
yes. I would need to use below in my splunk UF outputs.conf -- ```clientCert = <path> sslVerifyServerCert = true indexerDiscovery = somethingABCDEFGH useACK = true``` I will keep indexerDiscovery out of the scope of our discussion for now and focus more on `clientCert` and `sslVerifyServerCert` as a must to place on the windows UF -- while i am reproducing scenario in my lab.
0 -
Yeah, the question is if proper client cert authentication is part of your requirements.
0 -
yes. it is
0 -
Okay. So you already have that config for the UF. You might have to add the root CA cert that the Cribl receiving side cert has been issued by
0 -
In Cribl, you enable TLS on the input, enable client cert validation, give Cribl the root CA of the UF client cert.
0 -
On Cribl output, configure a valid client cert, on the IDX side configure inputs.conf for splunktcp-ssl, give it a root CA that issued the Cribl client cert
0 -
Well, whatever cert you got for that box Cribl runs on
0