Splunk Enterprise must use TCP for data transmission.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-221614 | SPLK-CL-000170 | SV-221614r879887_rule | Medium |
| Description |
|---|
| If the UDP protocol is used for communication, then data packets that do not reach the server are not detected as a data loss. The use of TCP to transport data improves delivery reliability, adds data integrity, and gives the option to encrypt the traffic. |
| STIG | Date |
|---|---|
| Splunk Enterprise 7.x for Windows Security Technical Implementation Guide | 2023-06-09 |
Details
| Check Text ( C-23329r416299_chk ) |
|---|
| Select Settings >> Data Inputs, and verify there are zero inputs configured under UDP. Splunk supports UDP, but it is not permissible to use. If any exist, this is a finding. If the Web UI is disabled, open an OS command prompt and type: netstat -a -p UDP If a UDP connection is displayed for 0.0.0.0:514, the instance is listening for Syslog port 514 in UDP, and this is a finding. |
| Fix Text (F-23318r416300_fix) |
|---|
| Select Settings >> Data Inputs, and verify there are zero inputs configured under UDP. Remove any that exist and recreate using TCP. It is recommended to set these settings before disabling the web UI of the instance in a distributed environment. |