https://community.splunk.com/t5/Getting-Data-In/SSL-connection-between-Indexer-and-Forwarder-validation/m-p/150745#M30664 <P>Hi garima_chauhan,</P> <P>run this command from the <CODE>cmd</CODE> prompt</P> <PRE><CODE> %SPLUNK_HOME%/bin/splunk cmd openssl s_client -connect myIDX:9997 </CODE></PRE> <P>this will open a SSL connection to the idx and verify the SSL connection.</P> <P>find some background information about SSL tests and config changes <A href="http://answers.splunk.com/answers/134053/ciphersuite-in-various-conf-files">here</A></P> <P>hope this helps ...</P> <P>cheers, MuS</P> Sun, 18 May 2014 08:42:17 GMT MuS 2014-05-18T08:42:17Z https://community.splunk.com/t5/Getting-Data-In/SSL-connection-between-Indexer-and-Forwarder-validation/m-p/150741#M30660 <P>Hi,</P> <P>I am not able to configure the ssl connections between the forwarder and indexer. The splunkd logs on both the indexer and forwarder are not the same as cited in the documentation.</P> <P>Here is what I get on Indexer in splunkd.log:</P> <P>Date Time +1100 INFO TcpInputConfig - IPv4 port 9997 is reserved for splunk 2 splunk</P> <P>Date Time +1100 INFO TcpInputConfig - IPv4 port 9997 is not compressed</P> <P>Date Time +1100 INFO TcpInputConfig - IPv4 port 9997 is reserved for splunk 2 splunk (SSL)</P> <P>Date Time +1100 INFO TcpInputConfig - IPv4 port 9997 is compressed</P> <P>Date Time +1100 INFO TcpInputProc - Registering metrics callback for: tcpin_connections</P> <P>After this, I do not get any other message as mentioned in the documentation.</P> <P>On Forwarder, I get the following in splunkd.log:</P> <P>Date Time +1100 INFO TcpOutputProc - found Whitelist forwardedindex.0.whitelist , RE : forwardedindex.0.whitelist</P> <P>Date Time +1100 INFO TcpOutputProc - found Blacklist forwardedindex.1.blacklist , RE : forwardedindex.1.blacklist</P> <P>Date Time +1100 INFO TcpOutputProc - found Whitelist forwardedindex.2.whitelist , RE : forwardedindex.2.whitelist</P> <P>Date Time +1100 INFO TcpOutputProc - tcpout group splunkssl using Auto load balanced forwarding</P> <P>Date Time +1100 INFO TcpOutputProc - Group splunkssl initialized with maxQueueSize=512000 in bytes.</P> <P>Date Time +1100 WARN TcpOutputProc - Connected to idx=<INDEXERIP>:9997. Not using ACK.</INDEXERIP></P> <P>Date Time +1100 WARN TcpOutputProc - Connected to idx=<INDEXERIP>:9997. Not using ACK.</INDEXERIP></P> <P>Date Time +1100 INFO TcpOutputProc - Connection to <INDEXERIP>:9997 closed. Connection closed</INDEXERIP></P> <P>For enabling SSL connection between a forwarder and an indexer, I performed the following configurations:</P> <P>On Indexer(Windows)<BR /> I added the following stanzas in $SPLUNK_HOME\etc\system\local\inputs.conf</P> <P>[splunktcp-ssl:9997]<BR /> compressed = true</P> <P>[SSL]<BR /> rootCA = $SPLUNK_HOME\etc\auth\cacert.pem<BR /> serverCert = $SPLUNK_HOME\etc\auth\server.pem<BR /> password = password</P> <P>On Forwarder(Windows)<BR /> I added the following stanzas in $SPLUNK_HOME\etc\system\local\outputs.conf</P> <P>[tcpout]<BR /> defaultGroup = splunkssl</P> <P>[tcpout:splunkssl]<BR /> compressed = true<BR /> server = <INDEXERIP>:9997<BR /> sslCertPath = $SPLUNK_HOME\etc\auth\server.pem<BR /> sslPassword = password<BR /> sslRootCAPath = $SPLUNK_HOME\etc\auth\cacert.pem<BR /> sslVerifyServerCert = false</INDEXERIP></P> <P>I checked if there were 2 inputs.conf stanzas using port 9997. There were no 2 stanzas using port 9997 but I still changed the port to 9996 for ssl connection.</P> <P>Despite changing the port, I don't get the output in splunkd.log as mentioned in the splunk documentation. </P> <P>However, when I checked the metrics.log file on Indexer, I get "ssl=true". Does this mean that ssl is enabled, even though the splunkd logs are not as desired?</P> <P>Please help.</P> Mon, 28 Sep 2020 15:20:05 GMT https://community.splunk.com/t5/Getting-Data-In/SSL-connection-between-Indexer-and-Forwarder-validation/m-p/150741#M30660 garima_chauhan 2020-09-28T15:20:05Z https://community.splunk.com/t5/Getting-Data-In/SSL-connection-between-Indexer-and-Forwarder-validation/m-p/150742#M30661 <P>In the splunkd.log on the forwarder, are you seeing messages similar to "TcpOutput: Connected to 1.2.3.4." (Where 1.2.3.4 is the IP address of your indexer)?</P> Thu, 21 Nov 2013 08:05:03 GMT https://community.splunk.com/t5/Getting-Data-In/SSL-connection-between-Indexer-and-Forwarder-validation/m-p/150742#M30661 msarro 2013-11-21T08:05:03Z https://community.splunk.com/t5/Getting-Data-In/SSL-connection-between-Indexer-and-Forwarder-validation/m-p/150743#M30662 <P>Yes it does give </P> <P>TcpOutputProc: Connected to idx IP:9996</P> Thu, 21 Nov 2013 09:15:07 GMT https://community.splunk.com/t5/Getting-Data-In/SSL-connection-between-Indexer-and-Forwarder-validation/m-p/150743#M30662 garima_chauhan 2013-11-21T09:15:07Z https://community.splunk.com/t5/Getting-Data-In/SSL-connection-between-Indexer-and-Forwarder-validation/m-p/150744#M30663 <P>I am having similar problem as above. Can anyone please post the solution for this problem?<BR /> Thanks in advance</P> Sat, 17 May 2014 19:20:48 GMT https://community.splunk.com/t5/Getting-Data-In/SSL-connection-between-Indexer-and-Forwarder-validation/m-p/150744#M30663 uchaitanya 2014-05-17T19:20:48Z https://community.splunk.com/t5/Getting-Data-In/SSL-connection-between-Indexer-and-Forwarder-validation/m-p/150745#M30664 <P>Hi garima_chauhan,</P> <P>run this command from the <CODE>cmd</CODE> prompt</P> <PRE><CODE> %SPLUNK_HOME%/bin/splunk cmd openssl s_client -connect myIDX:9997 </CODE></PRE> <P>this will open a SSL connection to the idx and verify the SSL connection.</P> <P>find some background information about SSL tests and config changes <A href="http://answers.splunk.com/answers/134053/ciphersuite-in-various-conf-files">here</A></P> <P>hope this helps ...</P> <P>cheers, MuS</P> Sun, 18 May 2014 08:42:17 GMT https://community.splunk.com/t5/Getting-Data-In/SSL-connection-between-Indexer-and-Forwarder-validation/m-p/150745#M30664 MuS 2014-05-18T08:42:17Z