Install/Configure Splunkforwarder

# Download the universal forwarder from here: http://www.splunk.com/download/universalforwarder You will need an account to download it.
# Copy it up to the servers:
for i in IPADDRESS1 IPADDRESS2 ; do scp splunkforwarder-5.0.1-143156-linux-2.6-x86_64.rpm DLopez@$i: ; done
# Install RPM: *sudo rpm -ivh splunkforwarder-5.0.1-143156-linux-2.6-x86_64.rpm*
# Start splunk to create the necessary file structure:
root@sc9vl55:/data01/home/DLopez> /etc/init.d/splunk start
Starting Splunk…

Splunk> Finding your faults, just like mom.

Checking prerequisites…
Checking mgmt port [8089]: open
Creating: /opt/splunkforwarder/var/lib/splunk
Creating: /opt/splunkforwarder/var/run/splunk
Creating: /opt/splunkforwarder/var/run/splunk/appserver/i18n
Creating: /opt/splunkforwarder/var/run/splunk/appserver/modules/static/css
Creating: /opt/splunkforwarder/var/run/splunk/upload
Creating: /opt/splunkforwarder/var/spool/splunk
Creating: /opt/splunkforwarder/var/spool/dirmoncache
Creating: /opt/splunkforwarder/var/lib/splunk/authDb
Creating: /opt/splunkforwarder/var/lib/splunk/hashDb
New certs have been generated in ‘/opt/splunkforwarder/etc/auth’.
Checking conf files for typos… Done
All preliminary checks passed.

Starting splunk server daemon (splunkd)… Done
[ OK ]
# Add the forward-server: */opt/splunkforwarder/bin/splunk add forward-server*. Default user and password is *admin/changeme*. By default the inputs.conf and server.conf files are created on install of rpm, this add forward-server creates the outputs.conf file.
# Change the default credentials: */opt/splunkforwarder/bin/splunk edit user admin -password YOUR_NEW_PASSWORD -auth admin:changeme*
# Test forward connection: */opt/splunkforwarder/bin/splunk list forward-server*
# Finally add the data you want to forward: */opt/splunkforwarder/bin/splunk add monitor /path/to/app/logs/ -index main -sourcetype %app%*. Where /path/to/app/logs/ is the path to application logs on the host that you want to bring into Splunk, and %app% is the name you want to associate with that type of data. This will create an inputs.conf file here: */opt/splunkforwarder/etc/apps/search/local/inputs.conf*
# Restart splunk: */etc/init.d/splunk restart*


BEAST and CRIME SSL/TLS vulnerability

I recently ran a vulnerability scan against my web servers and the BEAST and CRIME vulnerabilities.

RHEL5 Apache

Simple PCI DSS compliant and compatible setup for RHEL5 Apache with 3DES as last resort against BEAST:

SSLHonorCipherOrder On

SSLProtocol All -SSLv2


Simple CRIME reduction for same setup:

echo >>/etc/sysconfig/httpd export OPENSSL_NO_DEFAULT_ZLIB=1

You can test your websites URL here: https://www.ssllabs.com/ssltest/


Edit the lighttpd.conf file and add  the following for BEAST:

ssl.cipher-list = “ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM”
ssl.honor-cipher-order = enable

Splunk Node

This works for Splunk 4.3 or higher, there is no setting for versions below 4.3 for Ciphers. Edit the web.conf file and add the following:


enableSplunkWebSSL = true

supportSSLV3Only = true



For the CRIME vulnerability edit server.conf. My forwarders don’t need web enabled!


disableDefaultPort = true

supportSSLV3Only = true