From d6cf4703e0940b078e3dfea6e57cf489a3050148 Mon Sep 17 00:00:00 2001 From: Ilya Kheifets Date: Mon, 19 Feb 2024 23:39:56 +0100 Subject: [PATCH] feat: use more generic names for certs and add docs --- docs/edge_processor.md | 18 ++++++++++++++++++ mkdocs.yml | 1 + .../conf.d/conflib/_common/t_templates.conf | 1 + .../conf.d/destinations/dest_hec/plugin.jinja | 4 ++-- package/sbin/entrypoint.sh | 2 +- 5 files changed, 23 insertions(+), 3 deletions(-) create mode 100644 docs/edge_processor.md diff --git a/docs/edge_processor.md b/docs/edge_processor.md new file mode 100644 index 0000000000..59ad45330f --- /dev/null +++ b/docs/edge_processor.md @@ -0,0 +1,18 @@ +# SC4S + EP guide (Experimental) + +## Basic Setup: + +* Use IP of EP instance as HEC URL: `SC4S_DEST_SPLUNK_HEC_DEFAULT_URL=http://x.x.x.x:8088` +* Use token from EP Global Settings: `SC4S_DEST_SPLUNK_HEC_DEFAULT_TOKEN=secret` +* Use EP API format: `SC4S_HEC_TEMPLATE=t_edge_hec` + +## TLS: + +* Switch to HTTPS at HEC: `SC4S_DEST_SPLUNK_HEC_DEFAULT_URL=https://x.x.x.x:8088` +* [Generate certificates](https://docs.splunk.com/Documentation/SplunkCloud/9.1.2308/EdgeProcessor/SecureForwarders) +* Upload certs at Edge Processor TLS settings +* Rename `Client cert` to `cert.pem` +* Rename `Client key` to `key.pem` +* Rename `CA Cert` to `ca_cert.pem` +* Mount dir with certs to `/etc/syslog-ng/tls/hec` +* Set path for TLS dir: `SC4S_DEST_TLS_MOUNT=/etc/syslog-ng/tls/hec` diff --git a/mkdocs.yml b/mkdocs.yml index 9f26aae99d..82fb97e70d 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -57,6 +57,7 @@ nav: - SC4S Lite (Experimental): - Intro: "lite.md" - Pluggable modules: "pluggable_modules.md" + - Edge Processor (Experimental): "edge_processor.md" - Troubleshooting: - SC4S Startup and Validation: "troubleshooting/troubleshoot_SC4S_server.md" - SC4S Logging and Troubleshooting Resources: "troubleshooting/troubleshoot_resources.md" diff --git a/package/etc/conf.d/conflib/_common/t_templates.conf b/package/etc/conf.d/conflib/_common/t_templates.conf index ef5f7013c3..739db616f1 100644 --- a/package/etc/conf.d/conflib/_common/t_templates.conf +++ b/package/etc/conf.d/conflib/_common/t_templates.conf @@ -151,6 +151,7 @@ template t_splunk_hec { template t_edge_hec { template('$(format-json + time=${S_UNIXTIME} host=$(lowercase ${HOST}) source=${.splunk.source:-SC4S} sourcetype=${.splunk.sourcetype:-sc4s:fallback} diff --git a/package/etc/conf.d/destinations/dest_hec/plugin.jinja b/package/etc/conf.d/destinations/dest_hec/plugin.jinja index 5a6d07ffe0..aa47b4b879 100644 --- a/package/etc/conf.d/destinations/dest_hec/plugin.jinja +++ b/package/etc/conf.d/destinations/dest_hec/plugin.jinja @@ -35,8 +35,8 @@ destination d_hec{{ dest_mode }}{{ altname }}{ tls( peer-verify({{ peer_verify }}) {% if tls_mount %} - key-file("{{ tls_mount }}/data_source_client_key.pem") - cert-file("{{ tls_mount }}/data_source_client_cert.pem") + key-file("{{ tls_mount }}/key.pem") + cert-file("{{ tls_mount }}/cert.pem") ca-dir("{{ tls_mount }}") {% endif %} {%- if cipher_suite %} diff --git a/package/sbin/entrypoint.sh b/package/sbin/entrypoint.sh index 728354f44a..9acb8d4477 100755 --- a/package/sbin/entrypoint.sh +++ b/package/sbin/entrypoint.sh @@ -172,7 +172,7 @@ then if [ "${SC4S_DEST_SPLUNK_HEC_DEFAULT_TLS_VERIFY}" == "no" ]; then export NO_VERIFY=-k ; fi if [ -n "${SC4S_DEST_TLS_MOUNT}" ]; then - export HEC_TLS_OPTS="--cert ${SC4S_DEST_TLS_MOUNT}/data_source_client_cert.pem --key ${SC4S_DEST_TLS_MOUNT}/data_source_client_key.pem"; + export HEC_TLS_OPTS="--cert ${SC4S_DEST_TLS_MOUNT}/cert.pem --key ${SC4S_DEST_TLS_MOUNT}/key.pem --cacert ${SC4S_DEST_TLS_MOUNT}/ca_cert.pem"; else export HEC_TLS_OPTS=""; fi