We have updated our Terms of Service, Code of Conduct, and Addendum.

Looking for pointers on putting Cribl between Splunk UF and Indexer with TLS Encryption

hello All, As a cribl beginner, I am looking for resources/guide to achieve below --- I am trying to place Cribl between splunk UF and indexer with TLS encryption enabled. Any pointers/lead/direction will be highly appreciated. more details in thread below...

Answers

  • I am not currently facing any issue or error, rather i am trying to understand/preparing to deliver -- with what will be provided -- outputs.conf on UF and inputs.conf on the indexer

  • xpac xpac
    xpac xpac Posts: 148 ✭✭✭

    Do you wanna do mTLS or just TLS on the receiving side?

  • on the windows UF side, i must use `sslVerifyServerCert = true` in outputs.conf -- so i suppose mutual TLS is needed for this, right

  • xpac xpac
    xpac xpac Posts: 148 ✭✭✭

    Mutual means that the client (sending side) also needs to present a valid cert

  • xpac xpac
    xpac xpac Posts: 148 ✭✭✭

    In Splunk that's requireClientCert

  • yes. I would need to use below in my splunk UF outputs.conf -- ```clientCert = <path> sslVerifyServerCert = true indexerDiscovery = somethingABCDEFGH useACK = true``` I will keep indexerDiscovery out of the scope of our discussion for now and focus more on `clientCert` and `sslVerifyServerCert` as a must to place on the windows UF -- while i am reproducing scenario in my lab.

  • xpac xpac
    xpac xpac Posts: 148 ✭✭✭

    Yeah, the question is if proper client cert authentication is part of your requirements.

  • yes. it is

  • xpac xpac
    xpac xpac Posts: 148 ✭✭✭

    Okay. So you already have that config for the UF. You might have to add the root CA cert that the Cribl receiving side cert has been issued by

  • xpac xpac
    xpac xpac Posts: 148 ✭✭✭

    In Cribl, you enable TLS on the input, enable client cert validation, give Cribl the root CA of the UF client cert.

  • xpac xpac
    xpac xpac Posts: 148 ✭✭✭

    On Cribl output, configure a valid client cert, on the IDX side configure inputs.conf for splunktcp-ssl, give it a root CA that issued the Cribl client cert

  • xpac xpac
    xpac xpac Posts: 148 ✭✭✭

    Well, whatever cert you got for that box Cribl runs on