LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 10-01-2009, 02:58 PM   #1
fantasygoat
Member
 
Registered: Sep 2009
Posts: 119

Rep: Reputation: 17
Secure connection between Splunk and syslog-ng


I'd like to set up a combination of syslog-ng and Splunk to aggregate all my log files.

I've got it working with syslog-ng forwarding logs to a number of different TCP ports opened by Splunk, but now I'd like to add a layer of encryption so I can start pulling in logs over the internet.

Unfortunately, I can't seem to get Splunk to accept my certificates. I've tried generating new ones and I still get the same error:

10-01-2009 15:44:15.468 ERROR SSLCommon - Can't read key file /company/etc/splunkssl/server.crt
10-01-2009 15:44:15.468 ERROR TcpInputProc - SSL server certificate not found, or password is wrong - SSL ports will not be opened

There's no password on the file, and I tried generating one with a password and I get the same result.

It seems to work fine on the syslog-ng side.

Has anyone managed to get encryption between Splunk and syslog-ng working? Or will I be forced to use stunnel or a local syslog-ng server to receive the encrypted logs and pass them to Splunk?
 
Old 10-02-2009, 08:06 AM   #2
zhjim
Senior Member
 
Registered: Oct 2004
Distribution: Debian Squeeze x86_64
Posts: 1,453
Blog Entries: 11

Rep: Reputation: 182Reputation: 182
I guess the permission to the cert file are just not right. I guess splunk is run with an extra user (not root). So this user needs to be able to read this file.
Heres how I got about to check if there are permission issues

Code:
su username
ls -l /path/to/file/i/want/to/check
if this all goes well I know the permissions are right. If theres is the not allowed or permission denied message I know its not

Note that all directories on the way up to the file need to have the right permission. Either set them with

Code:
chmod 755 /lowest_dir -R
to have everybody able to read the directories or use acl's

Code:
setfacl -m user:username:permission

If this all won't get splunk to use the cert you will need to use stunnel or maybe the cert is in the wrong format (but i can't really think of any other cert format than x509 [that is in wide use])


Cheers Zhjim
 
  


Reply

Tags
ssl, syslogng, tls


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How can i be secure with a wireless connection Criatura83 Linux - Security 2 12-05-2007 02:20 PM
Squid and Dansguardian | pipe syslog to Splunk? tekhead2 Linux - Server 1 06-28-2007 06:04 AM
secure connection without SSH Mr. DM Linux - General 3 05-17-2005 04:53 AM
Secure connection under Linux rsnfunky Linux - Networking 2 10-10-2003 12:41 PM
secure syslog? rewt Linux - Software 0 01-27-2003 04:08 PM


All times are GMT -5. The time now is 01:02 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration