Register a domain and help support LQ
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 10-01-2009, 03:58 PM   #1
Registered: Sep 2009
Posts: 119

Rep: Reputation: 17
Secure connection between Splunk and syslog-ng

I'd like to set up a combination of syslog-ng and Splunk to aggregate all my log files.

I've got it working with syslog-ng forwarding logs to a number of different TCP ports opened by Splunk, but now I'd like to add a layer of encryption so I can start pulling in logs over the internet.

Unfortunately, I can't seem to get Splunk to accept my certificates. I've tried generating new ones and I still get the same error:

10-01-2009 15:44:15.468 ERROR SSLCommon - Can't read key file /company/etc/splunkssl/server.crt
10-01-2009 15:44:15.468 ERROR TcpInputProc - SSL server certificate not found, or password is wrong - SSL ports will not be opened

There's no password on the file, and I tried generating one with a password and I get the same result.

It seems to work fine on the syslog-ng side.

Has anyone managed to get encryption between Splunk and syslog-ng working? Or will I be forced to use stunnel or a local syslog-ng server to receive the encrypted logs and pass them to Splunk?
Old 10-02-2009, 09:06 AM   #2
Senior Member
Registered: Oct 2004
Distribution: Debian Squeeze x86_64
Posts: 1,638
Blog Entries: 11

Rep: Reputation: 219Reputation: 219Reputation: 219
I guess the permission to the cert file are just not right. I guess splunk is run with an extra user (not root). So this user needs to be able to read this file.
Heres how I got about to check if there are permission issues

su username
ls -l /path/to/file/i/want/to/check
if this all goes well I know the permissions are right. If theres is the not allowed or permission denied message I know its not

Note that all directories on the way up to the file need to have the right permission. Either set them with

chmod 755 /lowest_dir -R
to have everybody able to read the directories or use acl's

setfacl -m user:username:permission

If this all won't get splunk to use the cert you will need to use stunnel or maybe the cert is in the wrong format (but i can't really think of any other cert format than x509 [that is in wide use])

Cheers Zhjim


ssl, syslogng, tls

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
How can i be secure with a wireless connection Criatura83 Linux - Security 2 12-05-2007 03:20 PM
Squid and Dansguardian | pipe syslog to Splunk? tekhead2 Linux - Server 1 06-28-2007 07:04 AM
secure connection without SSH Mr. DM Linux - General 3 05-17-2005 05:53 AM
Secure connection under Linux rsnfunky Linux - Networking 2 10-10-2003 01:41 PM
secure syslog? rewt Linux - Software 0 01-27-2003 05:08 PM

All times are GMT -5. The time now is 03:15 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration