https://community.splunk.com/t5/Security/SSL-for-third-party-forwarding/m-p/350911#M8840 <P>indexAndForward is for heavy forwarders only. It will not work on indexers. Let me know if that's an option for you, if so I can elaborate on the SSL questions.</P> Fri, 10 Mar 2017 14:51:38 GMT jkat54 2017-03-10T14:51:38Z https://community.splunk.com/t5/Security/SSL-for-third-party-forwarding/m-p/350910#M8839 <P>Hi. We are looking at the possibility of forwarding data from a Splunk indexer (with "indexAndForward") to a third-party system using SSL. As it's a non-Splunk receiving system we need to use "sendCookedData = false" in outputs.conf. I'm aware of the SSL settings in outputs.conf but all documentation I've seen only describes these settings in the context of a Splunk indexer on the receiving end, with corresponding settings in inputs.conf.</P> <P>Is it possible to use the SSL settings in the outputs.conf of the forwarding system with a non-Splunk receiver? My knowledge of SSL and the receiving system is limited but presumably some configuration of the receiver would be required to accept this.</P> Fri, 10 Mar 2017 14:37:04 GMT https://community.splunk.com/t5/Security/SSL-for-third-party-forwarding/m-p/350910#M8839 jhigginsmq 2017-03-10T14:37:04Z https://community.splunk.com/t5/Security/SSL-for-third-party-forwarding/m-p/350911#M8840 <P>indexAndForward is for heavy forwarders only. It will not work on indexers. Let me know if that's an option for you, if so I can elaborate on the SSL questions.</P> Fri, 10 Mar 2017 14:51:38 GMT https://community.splunk.com/t5/Security/SSL-for-third-party-forwarding/m-p/350911#M8840 jkat54 2017-03-10T14:51:38Z https://community.splunk.com/t5/Security/SSL-for-third-party-forwarding/m-p/350912#M8841 <P>Ok I can see it says "This attribute is only available for heavy forwarders" under indexAndForward in the outputs.conf.spec, I assumed this meant only as opposed to universal forwarders. Isn't a 'heavy forwarder that indexes', really just an 'indexer that forwards'?</P> <P>Either way I am keen to hear your SSL thoughts, thanks.</P> Fri, 10 Mar 2017 15:11:06 GMT https://community.splunk.com/t5/Security/SSL-for-third-party-forwarding/m-p/350912#M8841 jhigginsmq 2017-03-10T15:11:06Z https://community.splunk.com/t5/Security/SSL-for-third-party-forwarding/m-p/350913#M8842 <PRE><CODE>SSL should work just fine sending to other servers and ports. SSL Verification will work too. You've got to create your own pem openssl genrsa -aes256 -out splunkforwarders.yourdomain.com.key 2048 openssl req -new -key splunkforwarders.yourdomain.com.key -out splunkforwarders.yourdomain.com.csr openssl x509 -req -in splunkforwarders.yourdomain.com.csr -sha1 -signkey splunkforwarders.yourdomain.com.key -CAcreateserial -out splunkforwarders.yourdomain.com.crt -days 365 cat splunkforwarders.yourdomain.com.crt splunkforwarders.yourdomain.com.key rootca.crt subca1.crt subca2.crt &gt; splunkforwarders.pem inputs.conf: [your_stanza] _INDEX_AND_FORWARD_ROUTING = ssl_forwarding outputs.conf: [tcpout] defaultGroup = indexers indexAndForward = true [tcpout:ssl_forwarding] sendCookedData = false server = {some_host}:{port} clientCert = $SPLUNK_HOME/etc/myauth/splunkforwarders.pem sslPassword ={password} sslRootCAPath = $SPLUNK_HOME/etc/myauth/rootca.crt sslVerifyServerCert = true sslCommonNameToCheck = {some_host} [tcpout:indexers] server = {some_indexer_1}:{port}, {some_indexer_2}:{port} </CODE></PRE> Fri, 10 Mar 2017 16:55:03 GMT https://community.splunk.com/t5/Security/SSL-for-third-party-forwarding/m-p/350913#M8842 jkat54 2017-03-10T16:55:03Z https://community.splunk.com/t5/Security/SSL-for-third-party-forwarding/m-p/350914#M8843 <P>Ok great, think I need to read up on the SSL settings a bit more but good to know it can be done and the example look useful, thanks.</P> Fri, 10 Mar 2017 20:58:13 GMT https://community.splunk.com/t5/Security/SSL-for-third-party-forwarding/m-p/350914#M8843 jhigginsmq 2017-03-10T20:58:13Z