Splunk Enterprise must use TCP for data transmission.
An XCCDF Rule
Description
<VulnDiscussion>If the UDP protocol is used for communication, then data packets that do not reach the server are not detected as a data loss. The use of TCP to transport data improves delivery reliability, adds data integrity, and gives the option to encrypt the traffic.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-251675r879887_rule
- Severity
- Medium
- References
- Updated
Remediation - Manual Procedure
This configuration is performed on the machine used as an indexer, which may be a separate machine in a distributed environment.
Navigate to $SPLUNK_HOME/etc/system/local/
Modify the inputs.conf file to replace any input that is using a UDP port with a TCP port.