SSL Secured
| |

Ingest logs into Splunk using TLS

In today’s digital world, organizations are generating massive amounts of log data that contain valuable insights into their systems, applications, and networks. Splunk is a popular platform that helps organizations analyze and visualize this log data to gain insights and improve their operations.

Today we are going to discuss ingesting syslog from FireEye HX Cloud into Splunk so that we can get additional insights into authentication logs, system logs, containment logs, and other audit trails. If you need to ingest syslog from FireEye HX Cloud into Splunk, you need to ingest the log via Transport Layer Security (TLS).

In this blog post, we are going to discuss two methods to ingest logs to Splunk using TLS based on CentOS: TCP SSL input for Splunk and Rsyslog with GTLS. Each method has its own set of advantages and disadvantages, so it’s important to evaluate which option is best suited for your organization’s specific needs.

TCP SSL input for Splunk is relatively straightforward to set up, but it has a potential drawback: Log Loss. When the Splunk instance is restarted, any logs that were in transit during the restart will be lost.

TCP SSL input for Splunk

To set up TCP SSL input for Splunk, you will need to:

Open port 6514/tcp in your firewall:

firewall-cmd --permanent --zone=public --add-port=6514/tcp

firewall-cmd --reload

Create a combined certificate file from your authentication and private key files

cat /etc/auth/cert.pem > /opt/splunk/etc/auth/splunkweb_combined.cer

cat /etc/auth/privkey.pem >> /opt/splunk/etc/auth/splunkweb_combined.cer

chown splunk:splunk /opt/splunk/etc/auth/splunkweb_combined.cer

chmod 600 /opt/splunk/etc/auth/splunkweb_combined.cer

Edit the inputs.conf file with the necessary configurations (vi /opt/splunk/etc/system/local/inputs.conf):

[tcp-ssl://1514]

sourcetype = syslog

index = security

disabled = false

acceptFrom = <IP Address of FireEye>

[SSL]

password =

requireClientCert = false

serverCert = /opt/splunk/etc/auth/splunkweb_combined.cer

sslVersions = tls1.2

cipherSuite = AES256-SHA

Rsyslog with GTLS

Rsyslog with GTLS is a more involved setup process but has the advantage of being less prone to log loss. To set up Rsyslog with GTLS, you will need to:

Open port 6514/tcp in your firewall

firewall-cmd --permanent --zone=public --add-port=6514/tcp

firewall-cmd --reload

Install the necessary packages

yum -y install rsyslog-gnutls rsyslog gnutls-utils gnutls

copy your authentication and private key files to the appropriate locations

cp /etc/auth/privkey.pem /etc/pki/tls/private/rslserver-key.pem

cp /etc/auth/cert.pem /etc/pki/tls/certs/rslserver-cert.pem

Edit the rsyslog.conf file with the necessary configurations (vi /etc/rsyslog.conf):

global(

DefaultNetstreamDriver="gtls"

DefaultNetstreamDriverCertFile="/etc/pki/tls/certs/rslserver-cert.pem"

DefaultNetstreamDriverKeyFile="/etc/pki/tls/private/rslserver-key.pem"

)

module(load="imptcp" threads="3")

module(

load="imtcp"

StreamDriver.Name="gtls"

#StreamDriver.Name="ossl"

StreamDriver.Mode="1"

StreamDriver.Authmode="anon"

)

input(type="imptcp" port="514")

input(type="imtcp" port="6514")

Once you have determined which method to use, you can begin the process of ingesting logs from FireEye HX Cloud into Splunk. With TLS in place, you can be confident that your logs are secure and protected from potential security risks.

It’s important to note that these instructions are specific to FireEye HX Cloud, but they can be adapted for other sources of log ingestion into Splunk. As always, it’s important to stay up to date on the latest security best practices and to continually evaluate and update your security measures to ensure that your organization’s data is protected.

Reference:

https://github.com/CyberSecThreat-Corporation-Limited/Splunk/blob/under-review/rsyslog-ssl-rh7.conf

https://github.com/CyberSecThreat-Corporation-Limited/Splunk/blob/under-review/rsyslog-ssl_rh8.conf

Similar Posts

發佈留言

Your email address will not be published. Required fields are marked *