Deployment Architecture

Help needed for Splunk Index and Forward setup

somesoni2
SplunkTrust
SplunkTrust

Hi,

I have following instances in my environment.

5 - Forwarders - Splunk 5.0.5
1 - Indexer - Splunk 5.0.5
1 - Indexer - Splunk 6.0

All forwarders are setup to forward data to Indexer 5.0.5 on port 9997 and they are working fine.

What I want to do now is the configure Indexer 5.0.5 for "Index and Forward" options so that it will store events from all forwarders locally as well as forward it to Indexer 6.0.

All instances are using SSL connection.
Could anyone tell me what all configurations are required to do the same and which instance should be configured in what way?

I have tried following so far with no luck [Splunk Indexer 6.0 is configured to receive on port 9998 for all]

  1. Added forwarding and saving local copy in Indexer 5.0.5 to Indexer 6.0 on port 9998, restarted Indexer 5.0.5 - didn't work
  2. Added forwarding and saving local copy in Indexer 5.0.5 to Indexer 6.0 on port 9998, added following stanza in inputs.conf in Indexer 5.0.5, restarted Indexer 5.0.5, didn't work.

    [splunktcp://9997]
    connection_host = none

  3. Added forwarding and saving local copy in Indexer 5.0.5 to Indexer 6.0 on port 9998, added following stanza in inputs.conf in Indexer 6.0, restarted both Indexer 5.0.5 and Indexer 6.0 , didn't work.

    [splunktcp://9998]
    connection_host = none

Appreciate your help here. Got stuck for so long.

0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Resolved. With following configuration.

Splunk 6.0 Indexer
Inputs.conf

[SSL]
password = certpassword
rootCA = $SPLUNK_HOME/etc/auth/blah_CA05_root.pem
serverCert = $SPLUNK_HOME/etc/auth/sslKeysfileDEV.pem
requireClientCert = false

[splunktcp-ssl:9998]
compressed = true

Splunk 5.0 Indexer
outputs.conf

[tcpout]
defaultGroup = DEV_INDEXERS_6_0
indexAndForward = true
disabled = false

[tcpout:DEV_INDEXERS_6_0]
compressed = true
server = <splunk6 indexer server>:9998
sslCertPath = $SPLUNK_HOME/etc/auth/sslKeysfileDEV.pem
sslPassword = certpassword
sslRootCAPath = $SPLUNK_HOME/etc/auth/blah_CA05_root.pem
sslVerifyServerCert = false   
useACK = true
sendCookedData = true

Restarted both indexers and boom.

View solution in original post

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Resolved. With following configuration.

Splunk 6.0 Indexer
Inputs.conf

[SSL]
password = certpassword
rootCA = $SPLUNK_HOME/etc/auth/blah_CA05_root.pem
serverCert = $SPLUNK_HOME/etc/auth/sslKeysfileDEV.pem
requireClientCert = false

[splunktcp-ssl:9998]
compressed = true

Splunk 5.0 Indexer
outputs.conf

[tcpout]
defaultGroup = DEV_INDEXERS_6_0
indexAndForward = true
disabled = false

[tcpout:DEV_INDEXERS_6_0]
compressed = true
server = <splunk6 indexer server>:9998
sslCertPath = $SPLUNK_HOME/etc/auth/sslKeysfileDEV.pem
sslPassword = certpassword
sslRootCAPath = $SPLUNK_HOME/etc/auth/blah_CA05_root.pem
sslVerifyServerCert = false   
useACK = true
sendCookedData = true

Restarted both indexers and boom.

0 Karma
Get Updates on the Splunk Community!

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Using the Splunk Threat Research Team’s Latest Security Content

REGISTER HERE Tech Talk | Security Edition Did you know the Splunk Threat Research Team regularly releases ...