https://community.splunk.com/t5/Getting-Data-In/Use-a-Heavy-Forward-to-Receive-Unencrypted-Traffic-and-Send/m-p/345458#M63472 <P>For this particular situation the Palo Alto for Splunk App and TA only work with the main index. When I removed the custom index I could see the events populating.</P> Wed, 26 Apr 2017 03:37:40 GMT skycree_rh 2017-04-26T03:37:40Z https://community.splunk.com/t5/Getting-Data-In/Use-a-Heavy-Forward-to-Receive-Unencrypted-Traffic-and-Send/m-p/345455#M63469 <P>Hi,<BR /> I have setup a heavy forwarder to accept TCP unencrypted traffic from a Palo Alto device, that has the Palo Alto TA installed, on our local network. I would like to send the data encrypted using SSL to our indexer in AWS. The indexer in AWS is already configured and working for receiving SSL encrypted events. Is there a configuration that needs to be done on the heavy forwarder to allow this?</P> <P>By running tcpdump I can see the unencrypted data coming from the Palo Alto device. I can see encrypted data going to our indexer but all that I can see is hostname related events in the _internal index, and no evidence of the pan:log sourcetype.</P> <P>Thanks</P> Tue, 25 Apr 2017 04:44:03 GMT https://community.splunk.com/t5/Getting-Data-In/Use-a-Heavy-Forward-to-Receive-Unencrypted-Traffic-and-Send/m-p/345455#M63469 skycree_rh 2017-04-25T04:44:03Z https://community.splunk.com/t5/Getting-Data-In/Use-a-Heavy-Forward-to-Receive-Unencrypted-Traffic-and-Send/m-p/345456#M63470 <P>Yes it can be done using SSL certificates. You need to add certificate information in your outputs.conf as follows:</P> <PRE><CODE>[tcpout:test_clustered_indexers] server = indexer.abc.com:9997 compressed = true sslVerifyServerCert = true sslRootCAPath = /opt/splunkforwarder/etc/auth/certificate/cert.pem sslCertPath = /opt/splunkforwarder/etc/auth/certificate/CertFull.pem sslPassword = &lt;yourPassword&gt; useClientSSLCompression = true </CODE></PRE> <P>and on the indexers machines need to add following stanza in inputs.conf.</P> <PRE><CODE>[SSL] password = &lt;cert password&gt; rootCA =&lt;path to your root CA certificate&gt; serverCert = &lt;Path to your server certificate&gt; requireClientCert = true </CODE></PRE> Tue, 25 Apr 2017 06:41:30 GMT https://community.splunk.com/t5/Getting-Data-In/Use-a-Heavy-Forward-to-Receive-Unencrypted-Traffic-and-Send/m-p/345456#M63470 hardikJsheth 2017-04-25T06:41:30Z https://community.splunk.com/t5/Getting-Data-In/Use-a-Heavy-Forward-to-Receive-Unencrypted-Traffic-and-Send/m-p/345457#M63471 <P>Hi, thanks for the response. Yes, I do have that setup already which is why I'm confused as to why the events are not showing in the index.</P> Tue, 25 Apr 2017 15:06:25 GMT https://community.splunk.com/t5/Getting-Data-In/Use-a-Heavy-Forward-to-Receive-Unencrypted-Traffic-and-Send/m-p/345457#M63471 skycree_rh 2017-04-25T15:06:25Z https://community.splunk.com/t5/Getting-Data-In/Use-a-Heavy-Forward-to-Receive-Unencrypted-Traffic-and-Send/m-p/345458#M63472 <P>For this particular situation the Palo Alto for Splunk App and TA only work with the main index. When I removed the custom index I could see the events populating.</P> Wed, 26 Apr 2017 03:37:40 GMT https://community.splunk.com/t5/Getting-Data-In/Use-a-Heavy-Forward-to-Receive-Unencrypted-Traffic-and-Send/m-p/345458#M63472 skycree_rh 2017-04-26T03:37:40Z