Dynamic Encryption with Cribl and Splunk – Part 3

by | Aug 1, 2020

dynamic encryption

Cribl Configuration

The Encryption Keys

Before we start configuring the data elements of Cribl LogStream, we need to set up the keys with which to encrypt and decrypt the data moving through it.

Looking back to part one of this document, we noted that fields requiring encryption were grouped into either crypto_group_0 or crypto_group_1 in the JSON schema. Keeping with this naming convention, we’ll describe the two key pairs using these names, taking care to align that the group number matches the “Key Class” variable in the key settings.

crypto_group_0 is assigned a key class of “0”

image1.png

crypto_group_1 is assigned a key class of “1”

Crypto_group1

Download the key bundle by clicking “Get Key Bundle” in the user interface.

Get Key Bundle.png

The bundle will contain two files when uncompressed, cribl.secret and keys.json.

Securely copy both files to /opt/splunk/etc/apps/cribl/local/cribl/auth on your search head (or deploy them accordingly with your search head deployer).

The Destination

In keeping with the philosophy of configuring things in reverse order, we’ll start with setting Splunk up as a destination in Cribl LogStream. Cribl speaks “Splunk-to-Splunk” (S2S) protocol natively so this is a relatively simple procedure.

It’s worth noting that while this lab is a single all-in-one Splunk Indexer/Search Head, Cribl also supports load balanced Splunk indexers and outputting to the Splunk HTTP Event Collector.

I have also configured Cribl to write events to a persistent queue in the unlikely event that it can’t communicate with the Splunk indexing tier.

Single Destination.png

The Pipeline Part 1

Initially we’ll set up a default pipeline to test end-to-end delivery of events. As this means that the Splunk index will be receiving unencrypted sensitive data, I’d recommend sending them to a test index that can later be deleted. Even a single event containing PII in a wrong index can create a compliance nightmare months down the line.

Pipeline_1.png

With our default pass-through pipeline set up, we can move on to configuring the Cribl Route.

The Route

Next we create the route that connects the pipeline to the desired output. I’ve added a filter to ensure that only events destined for index=’secured_index’ are valid for the pipeline in the name of optimisation.

Route_1.png

The Pipeline Part 2

Now that we have all of the plumbing in place, the next step is to encrypt the required fields as they move through Cribl LogStream. Cribl encrypts the data using the keys that we created in part two. Be sure to click the flag to the right of the regex and select “Global”.

Pipeline_2.png

Because we’re not cruel, here’s a pastable version of that Regex.

(?<=”crypto_group_(\d+)”:\{[^\}]*)(?:”(.*?)”:”(.*?)”(,|\s*}))

And the replace expression.

`”${g2}”:”${C.Crypto.encrypt(g3,g1)}”${g4}`

The Regular Expression Explained

For those interested in what that regex is actually doing, Ian has written this handy breakdown of all the moving parts.

Regular Expressions.png

The Source

Finally, we’re ready to configure Cribl LogStream to receive events from your data source. In this example I’ve set up a simple HTTP source that receives events from a Splunk EventGen instance. The most important parts of this step are to set your own unique token on both ends of the conversation and to be sure to forward events to the “event_encryptor” that we just configured.

Destination.png

Next Up

Now that the data encryption machinery is all in place, we’re ready to give things a test run and validate our configuration in Splunk.