Securing Your Splunk

posted: January 15th, 2011

Splunk is a great tool to monitor systems and networks. Although it does take while to learn how to use Splunk properly (things I have learnt so far is extracting fields, NOT running splunk as root, configuring how long splunk keeps data for, etc) it is worth the effort required to become proficient using this tool.

Over the last few days I have been working on migrating away from the built-in CA (It should have been done ages ago!) to my own CA and enforcing mutual authentication of both the indexer and forwarder. Below are the steps necessary to achieve the above mentioned:

On the Splunk indexer

Make another copy of /opt/splunk/bin/genRootCA.sh, substituting appropriate values for organization, location, etc. Delete all the old certificates and keys. I also deleted the stuff in /opt/splunk/etc/auth/audit because I don’t trust those certs either. Run the script and follow the prompts. Keep the files safe - they are your new CA! For each forwarder create / sign a certificate *Edit /opt/splunk/etc/system/local/inputs.conf and add the following

requireClientCert=true

This will force the indexer to only accept connections from forwarders using certificates signed by your CA!

On the Splunk forwarder

Copy the cacert.pem and the appropriate certificate from the indexer to the forwarder. Edit the /opt/splunk/etc/system/local/outputs.conf and add the following options :

sslVerifyServerCert=true
sslCommonNameToCheck=indexer.example.com
altCommonNameToCheck=indexer

These options will force the forwarder to check that the indexer it connects to is using a cert that was signed by your CA and that the common name of the cert is as specified. Your Splunk installation will now be in a much better position to keep the bad guys out!

There is a long version of this here from answers.splunk.com.