All Apps and Add-ons

Splunk Universal Forwarder SSL Error

mdepuy
Observer

We have a few very old machines running UF version 6.2.X. [No, upgrading the UF/OS cannot happen] The certificate just recently expired and we are attempting to rectify the issue. My question is: does the certificate only have to be reissued to the indexers (I have read this in previous answers)? Or do I need to reissue certs to all the expired UFs, as well? 

If the latter question is the answer, what is the best way to go about it? Ship the certs with a new outputs.conf pointing to the new certs resident in that app? Or use SCCM and our in-house CA to issue new certs and set outputs.conf to point to that cert?

I appreciate any help!

Labels (3)
0 Karma

anilchaithu
Builder

@mdepuy 

It depends on your current configuration. In general, UF & Indexers have their own certs. So, you need to figure out which cert is expired?

Assuming both are expired, you can follow one of the below mentioned configurations

1) You can request one cert for all UFs & one for all indexers (with the same sslCommonName). 

2) You can request one cert for all UFs & one for each indexer (with unique sslCommonName). 

Please refer splunk documentation for more details.

https://docs.splunk.com/Documentation/Splunk/8.0.4/Security/ConfigureSplunkforwardingtousesignedcert...

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Best Practices: Splunk auto adjust pipeline queue

When you enable autoAdjustQueue in Splunk, maxSize should be understood as the queue size Splunk starts with ...

Laser Bananas and Edge Hubs: Exploring Operational Technology (OT) Data Through a ...

  OT is a different environment to traditional IT and can have interesting challenges when interfacing the ...

Event Series: Mastering AI Tokenomics and Splunk Agent Observability

Beyond the Black Box: Correlating AI Performance and Tokenomics with Splunk Agent Observability   As ...