Secure connection between Splunk and syslog-ng
 

I'd like to set up a combination of syslog-ng and Splunk to aggregate all my log files.

I've got it working with syslog-ng forwarding logs to a number of different TCP ports opened by Splunk, but now I'd like to add a layer of encryption so I can start pulling in logs over the internet.

Unfortunately, I can't seem to get Splunk to accept my certificates. I've tried generating new ones and I still get the same error:

10-01-2009 15:44:15.468 ERROR SSLCommon - Can't read key file /company/etc/splunkssl/server.crt
10-01-2009 15:44:15.468 ERROR TcpInputProc - SSL server certificate not found, or password is wrong - SSL ports will not be opened

There's no password on the file, and I tried generating one with a password and I get the same result.

It seems to work fine on the syslog-ng side.

Has anyone managed to get encryption between Splunk and syslog-ng working? Or will I be forced to use stunnel or a local syslog-ng server to receive the encrypted logs and pass them to Splunk?

I guess the permission to the cert file are just not right. I guess splunk is run with an extra user (not root). So this user needs to be able to read this file.
Heres how I got about to check if there are permission issues

if this all goes well I know the permissions are right. If theres is the not allowed or permission denied message I know its not ;)

Note that all directories on the way up to the file need to have the right permission. Either set them with

to have everybody able to read the directories or use acl's


If this all won't get splunk to use the cert you will need to use stunnel or maybe the cert is in the wrong format (but i can't really think of any other cert format than x509 [that is in wide use])


Cheers Zhjim