Splunk Enterprise must use TCP for data transmission.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-251675 | SPLK-CL-000270 | SV-251675r961863_rule | Medium |
| Description |
| If the UDP protocol is used for communication, then data packets that do not reach the server are not detected as a data loss. The use of TCP to transport data improves delivery reliability, adds data integrity, and gives the option to encrypt the traffic. |
| STIG | Date |
| Splunk Enterprise 8.x for Linux Security Technical Implementation Guide | 2025-03-05 |
Details
| Check Text (C-55113r819095_chk) |
| This check is performed on the machine used as an indexer, which may be a separate machine in a distributed environment. Examine the configuration. Navigate to the $SPLUNK_HOME/etc/system/local/ directory. View the inputs.conf file. If any input is configured to use a UDP port, this is a finding. |
| Fix Text (F-55067r819096_fix) |
| This configuration is performed on the machine used as an indexer, which may be a separate machine in a distributed environment. Navigate to $SPLUNK_HOME/etc/system/local/ Modify the inputs.conf file to replace any input that is using a UDP port with a TCP port. |