Ingest logs into Splunk using TLS
In today’s digital world, organizations are generating massive amounts of log data that contain valuable insights into their systems, applications, and networks. Splunk is a popular platform that helps organizations analyze and visualize this log data to gain insights and improve their operations.
Today we are going to discuss ingesting syslog from FireEye HX Cloud into Splunk so that we can get additional insights into authentication logs, system logs, containment logs, and other audit trails. If you need to ingest syslog from FireEye HX Cloud into Splunk, you need to ingest the log via Transport Layer Security (TLS).
In this blog post, we are going to discuss two methods to ingest logs to Splunk using TLS based on CentOS: TCP SSL input for Splunk and Rsyslog with GTLS. Each method has its own set of advantages and disadvantages, so it’s important to evaluate which option is best suited for your organization’s specific needs.
TCP SSL input for Splunk is relatively straightforward to set up, but it has a potential drawback: Log Loss. When the Splunk instance is restarted, any logs that were in transit during the restart will be lost.
TCP SSL input for Splunk
To set up TCP SSL input for Splunk, you will need to:
Open port 6514/tcp in your firewall:
firewall-cmd --permanent --zone=public --add-port=6514/tcp
firewall-cmd --reload
Create a combined certificate file from your authentication and private key files
cat /etc/auth/cert.pem > /opt/splunk/etc/auth/splunkweb_combined.cer
cat /etc/auth/privkey.pem >> /opt/splunk/etc/auth/splunkweb_combined.cer
chown splunk:splunk /opt/splunk/etc/auth/splunkweb_combined.cer
chmod 600 /opt/splunk/etc/auth/splunkweb_combined.cer
Edit the inputs.conf file with the necessary configurations (vi /opt/splunk/etc/system/local/inputs.conf):
[tcp-ssl://1514]
sourcetype = syslog
index = security
disabled = false
acceptFrom = <IP Address of FireEye>
[SSL]
password =
requireClientCert = false
serverCert = /opt/splunk/etc/auth/splunkweb_combined.cer
sslVersions = tls1.2
cipherSuite = AES256-SHA
Rsyslog with GTLS
Rsyslog with GTLS is a more involved setup process but has the advantage of being less prone to log loss. To set up Rsyslog with GTLS, you will need to:
Open port 6514/tcp in your firewall
firewall-cmd --permanent --zone=public --add-port=6514/tcp
firewall-cmd --reload
Install the necessary packages
yum -y install rsyslog-gnutls rsyslog gnutls-utils gnutls
copy your authentication and private key files to the appropriate locations
cp /etc/auth/privkey.pem /etc/pki/tls/private/rslserver-key.pem
cp /etc/auth/cert.pem /etc/pki/tls/certs/rslserver-cert.pem
Edit the rsyslog.conf file with the necessary configurations (vi /etc/rsyslog.conf):
global(
DefaultNetstreamDriver="gtls"
DefaultNetstreamDriverCertFile="/etc/pki/tls/certs/rslserver-cert.pem"
DefaultNetstreamDriverKeyFile="/etc/pki/tls/private/rslserver-key.pem"
)
module(load="imptcp" threads="3")
module(
load="imtcp"
StreamDriver.Name="gtls"
#StreamDriver.Name="ossl"
StreamDriver.Mode="1"
StreamDriver.Authmode="anon"
)
input(type="imptcp" port="514")
input(type="imtcp" port="6514")
Once you have determined which method to use, you can begin the process of ingesting logs from FireEye HX Cloud into Splunk. With TLS in place, you can be confident that your logs are secure and protected from potential security risks.
It’s important to note that these instructions are specific to FireEye HX Cloud, but they can be adapted for other sources of log ingestion into Splunk. As always, it’s important to stay up to date on the latest security best practices and to continually evaluate and update your security measures to ensure that your organization’s data is protected.
Reference:
https://github.com/CyberSecThreat-Corporation-Limited/Splunk/blob/under-review/rsyslog-ssl-rh7.conf
https://github.com/CyberSecThreat-Corporation-Limited/Splunk/blob/under-review/rsyslog-ssl_rh8.conf