We have the following environment set up : 2 x indexer and 1 x forwarder with 1 Master Node + Search Head.
We have configured to use indexer discovery and got it to work whereby the Forwarder are able to pass the logs over to the Indexer.
However, when we turn on the SSL, the logs are not forwarding over to the indexer anymore.
From the forwarder error logs, I saw the following error => "02-15-2019 09:09:35.768 +0000 ERROR TcpOutputProc - target=Indexer:9997 ssl=0 mismatch with ssl config in outputs.conf for server, skipping..."
Can advice what is wrong here?
Thanks for the suggestion. Finally found the error using btool due to conflicting configuration for SSL port 9997.
Somehow beside inputs.conf there's another one config residing under launcher also configure to use port 997 which is non SSL causing the issue i encountered.
Did you mentioned ssl details in inputs.conf and outputs.conf as mentioned in the below link:
Configure indexer discovery with SSL
I have configure based on the documents i got from splunk running ver 7.2.0.
input.config in one of my index server as follow :
host = SPLUNK01
disabled = 0
serverCert = /opt/splunk/etc/system/local/certs/myIndexer.pem
sslPassword = hashxx
requireClientCert = false
output.config under my forwarder as follow :
pass4SymmKey = hashxxxx
master_uri = https://188.8.131.52:8089
indexerDiscovery = AWSINDEX
useACK = true
autoLBFrequency = 30
forceTimebasedAutoLB = true
clientCert = /opt/splunkforwarder/etc/system/local/certs/myForwarder.pem
sslPassword = hashxxxx
defaultGroup = splunkaws
I have tested by moving my certs to :
/opt/splunk/etc/auth/certs for my indexer
/opt/splunkforwarder/etc/auth/certs for my forwarder
Still the same error reported above.