hello All, As a cribl beginner, I am looking for resources/guide to achieve below ---I am trying to place Cribl between splunk UF and indexer with TLS encryption enabled.Any pointers/lead/direction will be highly appreciated. more details in thread below...
Question
Looking for pointers on putting Cribl between Splunk UF and Indexer with TLS Encryption
I am not currently facing any issue or error, rather i am trying to understand/preparing to deliver -- with what will be provided --outputs.conf on UF andinputs.conf on the indexer
Do you wanna do mTLS or just TLS on the receiving side?
on the windows UF side, i must use`sslVerifyServerCert = true` in outputs.conf -- so i suppose mutual TLS is needed for this, right
Mutual means that the client (sending side) also needs to present a valid cert
In Splunk that's requireClientCert
yes.I would need to use below in my splunk UF outputs.conf --```clientCert = <path>sslVerifyServerCert = trueindexerDiscovery = somethingABCDEFGHuseACK = true```I will keep indexerDiscovery out of the scope of our discussion for now andfocus more on `clientCert` and `sslVerifyServerCert` as a must to place on the windows UF -- while i am reproducing scenario in my lab.
Yeah, the question is if proper client cert authentication is part of your requirements.
In Cribl, you enable TLS on the input, enable client cert validation, give Cribl the root CA of the UF client cert.
Okay. So you already have that config for the UF. You might have to add the root CA cert that the Cribl receiving side cert has been issued by
On Cribl output, configure a valid client cert, on the IDX side configure inputs.conf for splunktcp-ssl, give it a root CA that issued the Cribl client cert
Well, whatever cert you got for that box Cribl runs on
Sign up
Already have an account? Login
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.