Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Deployment Architecture
- :
- Setting up forwarder from CLI problem
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, I'm experiencing problems when configuring SSL forwarder from CLI.
My questions are:
Is it enough to move outputs.conf to /etc/system/local and restart splunk to enable forwarder?
If it is enough why am i getting following output from list forwarder-server:
Active Splunk-2-Splunk Forwards: None
Configured but inactive Splunk-2-Splunk Forwards: None
If I move outputs.conf to system/local and then try to add it forwarder like following:
"C:\Program Files\Splunk\bin\splunk" enable app SplunkLightForwarder -auth admin:changeme
"C:\Program Files\Splunk\bin\splunk" add forward-server server.com:9996 -auth admin:changeme
I get:
In handler 'tcpout-server': server.com:9996 forwarded-server already present
But the list forward-server still returns no forwarders?
I have also tried several combinations but with no success. What is the right sequence of commands to add SSL forwarder server and get some info that it is forwarding?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
After some experimenting I came up with this:
Enable Forwarder app: splunk enable app SplunkLightForwarder
Restart splunk: splunk restart
Add forwarder from cli: splunk add forward-server IP_ADRESA:PORT
Restart splunk: splunk restart
Copy SSL configuration to outputs.conf:
[tcpout-server://IP_ADRESA:PORT]
compressed = false
indexAndForward = false
sslCertPath = $SPLUNK_HOME/etc/auth/server.pem
sslPassword = password
sslRootCAPath = $SPLUNK_HOME/etc/auth/cacert.pem
sslVerifyServerCert = false
Restart Splunk: splunk restart
See if forwarder is active: splunk list forward-server
Check on indexer if you have Cooked SSL: index=_internal tcpin 9996 cookedssl
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
After some experimenting I came up with this:
Enable Forwarder app: splunk enable app SplunkLightForwarder
Restart splunk: splunk restart
Add forwarder from cli: splunk add forward-server IP_ADRESA:PORT
Restart splunk: splunk restart
Copy SSL configuration to outputs.conf:
[tcpout-server://IP_ADRESA:PORT]
compressed = false
indexAndForward = false
sslCertPath = $SPLUNK_HOME/etc/auth/server.pem
sslPassword = password
sslRootCAPath = $SPLUNK_HOME/etc/auth/cacert.pem
sslVerifyServerCert = false
Restart Splunk: splunk restart
See if forwarder is active: splunk list forward-server
Check on indexer if you have Cooked SSL: index=_internal tcpin 9996 cookedssl
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Also if I add forwarder from web, and specify SSL configuration for that forwarder in outputs.conf I get:
Active Splunk-2-Splunk Forwards:
None
Configured but inactive Splunk-2-Splunk Forwards:
splunk.splunk:9996
Accelerating Observability as Code with the Splunk AI Assistant
Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...
Congratulations to the 2025-2026 SplunkTrust!
