Splunk Enterprise must use TCP for data transmission.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-251675 | SRG-APP-000516-AU-000340 | SPLK-CL-000270 | SV-251675r961863_rule | 2025-03-05 | 2 |
| Description |
|---|
| If the UDP protocol is used for communication, then data packets that do not reach the server are not detected as a data loss. The use of TCP to transport data improves delivery reliability, adds data integrity, and gives the option to encrypt the traffic. |
| ℹ️ Check |
|---|
| This check is performed on the machine used as an indexer, which may be a separate machine in a distributed environment. Examine the configuration. Navigate to the $SPLUNK_HOME/etc/system/local/ directory. View the inputs.conf file. If any input is configured to use a UDP port, this is a finding. |
| ✔️ Fix |
|---|
| This configuration is performed on the machine used as an indexer, which may be a separate machine in a distributed environment. Navigate to $SPLUNK_HOME/etc/system/local/ Modify the inputs.conf file to replace any input that is using a UDP port with a TCP port. |