So I’m looking at Splunk to so some log aggregation, parsing, and monitoring, along with anything and everything else it can do. While the install was pretty straight forward on Windows, the initial configuration caused me to burn a few brain cells. As a result, I decided to post some stuff here on what I did to set things up.
If you are reading this, you should already know a little about Splunk, including that is uses a web browser for the management interface. You can use local accounts, or LDAP (AD) accounts for access. Either way, you should always use https instead of http to protect credentials in transit. If you are going to use Active Directory accounts, you should also use LDAPS instead of LDAP, which I will cover in the next post on Splunk.
To use https for the web interface is easy; you just check a box in the setup. But if that is all you do, you will be using a self-generated cert, which brings up the whole issue of certificate warnings that I hate. Therefore, the first task was to figure out how to use certificates issued by my AD integrated Certificate Authority.
Setting up Splunk 4.0 for Windows to use certificates generated by your own Windows CA
This assumes you have installed Splunk as usual on your Windows server, you are doing the heavy-lifting on your Windows 7 workstation, and that you have an enterprise CA in your environment whose root cert is trusted by all clients. All operating systems used were 32bit versions.
First, you will find that the self-signed certificate and private key are stored on your Splunk server in C:\Program Files\Splunk\share\splunk\certs as cert.pem and privkey.pem. Rename them, adding .jic to the end of the filenames, just in case.
Next, you need to install the Visual C++ 2008 Redistributable on your workstation if you have not already. Download it from http://www.microsoft.com/downloads/details.aspx?familyid=9B2DA534-3E03-4391-8A4D-074B9F2BC1BF&displaylang=en and install it using all defaults.
Then, download and install the Win32 version of OpenSSL v0.9.8I light from http://www.slproweb.com/products/Win32OpenSSL.html, again using all the defaults. Make sure to get the right version for your operating system.
Once installed, open an administrative command prompt, change to the openssl directory and issue the following commands. Dots show the command, with the output underneath.
- C:\OpenSSL\bin>openssl genrsa -out privkey.pem 1024 [enter]
Loading ‘screen’ into random state – done
Generating RSA private key, 1024 bit long modulus
…….++++++
………..++++++
e is 65537 (0×10001) - C:\OpenSSL\bin>openssl req -new -key privkey.pem -out splunk.csr [enter]
Loading ‘screen’ into random state – done
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [AU]:fill out what you want
State or Province Name (full name) [Some-State]:fill out what you want
Locality Name (eg, city) []:fill out what you want
Organization Name (eg, company) [Internet Widgits Pty Ltd]:fill out what you want
Organizational Unit Name (eg, section) []:fill out what you want
Common Name (eg, YOUR name) []:fill out what you want
Email Address []:fill out what you want
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Take the splunk.csr file and submit it to your CA, choosing the webserver template. Obtain the certificate and save it to your workstation in the c:\openssl directory.
Now since a Windows CA issues certificates in DER format, and Splunk uses PEM format, we need to convert the certificate from DER to PEM format.
- C:\OpenSSL\bin>openssl x509 -in certnew.cer -inform DER -out cert.pem -outform PEM
Copy the privkey.pem and cert.pem to your Splunk server at C:\Program Files\Splunk\share\splunk\certs, restart Splunk, and Bob’s your uncle.
There is some content on the logon page, and the initial application page, that is pulled down from the Splunk website using http:// links. This will cause IE to bark about insecure content, and Chrome to show a warning logo…these are annoying, but not show stoppers. Remember, our goal is to secure logon credentials, and that we have just done. Also, IE and Chrome both use the Windows o/s certificate store, but Firefox uses its own, so you will still need to trust the certificate, and the root certificate, before you stop getting warnings.
I hope that this helps someone else out. In the next Splunk post I will go over how to use Active Directory instead of local accounts.
You might also enjoy:
{ 2 comments… read them below or add one }
Hello there – I really impressed the way you are providing the information. Please do reply to this mail. I have few queries to ask you .. please do this favor to me.
- Krishna
Hi Krishna,
Thanks for the kind words. If you have some questions, please reply to this comment, or you could use the contact link.
Cheers,
Ed