![]() You can do this via the CLI using the following command on your Splunk instance: $SPLUNK_HOME/bin/splunk restart splunkd Details to fill in on your Canary Console You will need to restart the Splunk process in order for this new configuration to take effect. In that file you will need to set the following configuration values: Once this is done, then your Splunk HEC will make use of the same certificate as your Splunk Management system.Īlternatively, you could have the certificate be specific to only your Splunk HEC, in order to do that you will need to be able to edit the following file on your Splunk instance: $SPLUNK_HOME/etc/apps/splunk_httpinput/local/nf When your certificates are in the correct format, you will need to follow this either of these links to configure your Splunk Indexer or Splunk Forwarder to use the new certificates you obtained above. Once you have your certificates, you can follow this link to ensure that they are formatted correctly to be used by Splunk. The instructions to get self-signed certificates on your Splunk Enterprise instance are here. However, you would need to contact in order for us to get your Canary Console to explicitly trust the CA that you used when creating the self-signed certificate. It is preferable to use a certificate from a trusted third-party CA, but if you would like to use a self-signed certificate, then your Canary Console does support this. In order to ensure your Splunk Enterprise instance is making use of SSL certificates, you can follow this link to get a certificate that is signed by a trusted third-party Certificate Authority (CA). We require that your HEC has SSL enabled so that communications between your Canary Console and your Splunk instance are kept secure and confidential. ![]() NOTE: when creating the new HEC token that you will use, use the picture below as the guide for "Input Settings":Įnable Splunk Enterprise HEC SSL (you can skip this section if your Splunk HEC already has SSL enabled) Setup steps for Splunk Enterprise usersįirstly ensure that the HEC is set up on your Splunk Cloud instance by following the instructions here. There are separate sections below because setups differ for Splunk Enterprise and for Splunk Cloud users (Note, Splunk Cloud Free trial accounts are not currently supported). The Canary Console will post to Splunk's HTTP Event Collector (HEC) which is a data input that comes standard with all Splunk installations. Your Canary Console is capable of posting incidents from your Canaries, to an instance of Splunk that you control.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |