the App works fine using UDP on port 514 but I still cannot seem to get TCP-SSL over port 10514 working??  Is there a cert requirement for TCP-SSL protocol, the inputs.conf has 4 lines about certs but the Sophos page does not mention parameters for using TCP-SSL??

What am I missing as I'm not familiar with Splunk??

  • Hi Jonn, We were able to test this and verify functionality using the below steps to send the data via the XG firewall to Splunk via SSL

    • First you need to get the certificate, the intermediate certificate that signed your certificate (if a third party validated cert is being used), and key them together in PEM format.
      • PEM is an ascii format where the certificate is encoded, between lines of ascii text saying ‘

    ----- BEGIN CERTIFICATE -----’ and ‘----- END CERTIFICATE -----’ for certificates, and ‘----- BEGIN PRIVATE KEY -----’ and ‘----- END PRIVATE KEY -----’ for the key.

    • Normally each PEM file contains one object, but for Splunk you need to concatenate the certificate together with the key into one file. You have to concatenate them in this order:

                    Server cert

                    Intermediate cert (if required)


    • This post describes how they need to be combined into a single file: Solved: Setup Secure (Encrypted) Syslog - Splunk Community
    • Once you’ve created this file, you need to put it somewhere on your Splunk server and set the configuration to point to it, as described in the docs.
      • Regarding the example in the docs, delete the trailing comments as Splunk seems to be reading those as part of the config.
      • Also the root CA was not required. It’s only used for validating client certificate, if 3rd party validated certificates are used.
      • Here is an example of a working config
        • In this example, the key file used was not password encrypted


    requireClientCert = false

    serverCert = /$SPLUNK_HOME/etc/random-cert-key.pem 


    index = xg_app

    sourcetype = sophos:xg:logs:secure

    disabled = 0


    • Note: A reboot and enablement via the UI may be required once the config is applied.
      • The line ‘disabled=0’ in the file was auto-added – possibly, if you include it when you create the inputs.conf file this step will be avoided