https://community.splunk.com/t5/Getting-Data-In/How-do-I-set-up-inputs-conf-to-allow-for-a-cloud-application-to/m-p/501074#M85355 <P>To get this to work, I had to remove the existing TCP input and add both the tcp-ssl and ssl sections. </P> Thu, 14 Nov 2019 15:03:56 GMT scottrunyon 2019-11-14T15:03:56Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-set-up-inputs-conf-to-allow-for-a-cloud-application-to/m-p/501072#M85353 <P>Our anti-virus application is located in the "cloud" and is sending syslog data to the indexer over TCP port 6514. The application has the ability to use SSL to encrypt this data. Looking at previous answers, it looks like I should add [tcp-ssl://6514] to \etc\system\local\inputs.conf. After modifing the config and changing the remote end to use SSL, I get gibberish like this -</P> <P>\x00&#14;\x00&#22;\x00&#11;\x00&#2;&#1;\x00\x00<BR /> index = avprogram source = tcp:6514 sourcetype = syslog</P> <P>When I remove the SSL requirement from the remote end, the data shows up as correct. It looks to me that I am missing a setting to decrypt the incoming data. </P> <P>Any suggestions on what I need to do? </P> Fri, 11 Oct 2019 19:22:16 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-set-up-inputs-conf-to-allow-for-a-cloud-application-to/m-p/501072#M85353 scottrunyon 2019-10-11T19:22:16Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-set-up-inputs-conf-to-allow-for-a-cloud-application-to/m-p/501073#M85354 <P>Are you sure the TCP-SSL input is actually running properly? Did you remove the old TCP input config? Sounds like both are still in place and since splunk can only have 1 input on a TCP port, it picks the plain TCP input.</P> <P>Try disabling/removing the old TCP input, or run the new input on another port, so you're sure you're troubleshooting the TCP-SSL input.</P> Mon, 14 Oct 2019 08:50:25 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-set-up-inputs-conf-to-allow-for-a-cloud-application-to/m-p/501073#M85354 FrankVl 2019-10-14T08:50:25Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-set-up-inputs-conf-to-allow-for-a-cloud-application-to/m-p/501074#M85355 <P>To get this to work, I had to remove the existing TCP input and add both the tcp-ssl and ssl sections. </P> Thu, 14 Nov 2019 15:03:56 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-set-up-inputs-conf-to-allow-for-a-cloud-application-to/m-p/501074#M85355 scottrunyon 2019-11-14T15:03:56Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-set-up-inputs-conf-to-allow-for-a-cloud-application-to/m-p/501075#M85356 <P>So that solved it? Or you mean you did that already before you encountered this problem of receiving gibberish?</P> Thu, 14 Nov 2019 15:30:07 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-set-up-inputs-conf-to-allow-for-a-cloud-application-to/m-p/501075#M85356 FrankVl 2019-11-14T15:30:07Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-set-up-inputs-conf-to-allow-for-a-cloud-application-to/m-p/501076#M85357 <P>To solve the issue, in inputs.conf</P> <P>Removed [tcp://6514] stanza</P> <P>Added <BR /> [tcp-ssl://6514]<BR /> connection_host = dns<BR /> sourcetype = syslog<BR /> index = avprogram</P> <P>[SSL]<BR /> rootCA = E:\Splunk\etc\auth\cacert.pem<BR /> serverCert = E:\Splunk\etc\auth\server.pem<BR /> password = *******************</P> <P>Note: I had to add the entire path because this is a Windows system.</P> Thu, 14 Nov 2019 16:13:35 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-set-up-inputs-conf-to-allow-for-a-cloud-application-to/m-p/501076#M85357 scottrunyon 2019-11-14T16:13:35Z