Setup Splunk Universal Forwarder with TLS
One of the best practice to setup Splunk Universal Forwarder (UF) is to encrypt incoming log traffic with TLS. This is especially important if your intake is from an external source on Internet, e.g from a SaaS solution. In this blog I will demostrate the steps to get this setup.
First, we will create a public A DNS record for the UF. This is because our UF will be receiving logs from Internet.
Next, we need to purchase a new TLS certificate for the A record we just registered. Assume the domain name we set for the certificate is syslog.contoso.com.
On the UF, run the command below to generate a CSR to submit to the public CA (DigiCert, GoDaddy...).
Copy the private key to Syslog-ng cert.d folder. The private key is automatically generated along with the CSR.
Submit the CSR file to CA and wait for the certificate to be issued. Once you receive the certificate, upload it to the UF server and move them to Syslog-ng cert.d folder.
Once you have the certificate and its private key in place, add following code to Syslog-ng's conf file. You can normally find the config file at /etc/syslog-ng/conf.d/syslog-ng.conf.
Restart Splunk service and the UF should now accept logs with TLS.