Secure connection between Splunk and syslog-ng
I'd like to set up a combination of syslog-ng and Splunk to aggregate all my log files.
I've got it working with syslog-ng forwarding logs to a number of different TCP ports opened by Splunk, but now I'd like to add a layer of encryption so I can start pulling in logs over the internet. Unfortunately, I can't seem to get Splunk to accept my certificates. I've tried generating new ones and I still get the same error: 10-01-2009 15:44:15.468 ERROR SSLCommon - Can't read key file /company/etc/splunkssl/server.crt 10-01-2009 15:44:15.468 ERROR TcpInputProc - SSL server certificate not found, or password is wrong - SSL ports will not be opened There's no password on the file, and I tried generating one with a password and I get the same result. It seems to work fine on the syslog-ng side. Has anyone managed to get encryption between Splunk and syslog-ng working? Or will I be forced to use stunnel or a local syslog-ng server to receive the encrypted logs and pass them to Splunk? |
I guess the permission to the cert file are just not right. I guess splunk is run with an extra user (not root). So this user needs to be able to read this file.
Heres how I got about to check if there are permission issues Code:
su username Note that all directories on the way up to the file need to have the right permission. Either set them with Code:
chmod 755 /lowest_dir -R Code:
setfacl -m user:username:permission If this all won't get splunk to use the cert you will need to use stunnel or maybe the cert is in the wrong format (but i can't really think of any other cert format than x509 [that is in wide use]) Cheers Zhjim |
All times are GMT -5. The time now is 05:04 PM. |