Getting Data In

Connection between Universial Forwarder and Deployment Server



we are using self-signed certificates in our Splunk environment. In general everything works fine, but at a closer look we found that the Universial Forwarders aren't using our self-signed forwarder-certificate. Instead they are using the Splunk default certificates. Examining the conf-files I found out, that the forwarder's server.conf ($SPLUNK_HOME/etc/system/default) refers to that certificate.

Changing the server.conf via an app doesn't work because the certificate password will not be encrypted.... 😞

Has anyone an idea how we can deploy a new server.conf to our Universial Forwarder in an (Splunk supported/recommended) automated way...? Using of System Center or such other tools isn't a good option, because of lack of privileges but for several hundred Universial Forwarders it would be "a little bit" annoying to fix that problem manually.


0 Karma

Ultra Champion

To automate the deployment of the modified server.conf file to hundreds of servers, you can use python scripts. Works for us ; -)

0 Karma


HI pilzi81, For ssl related issues in general, this talk covers about everything :

If you can't use some configuration management system (SCCM, salt, puppet, etc.), you could possibly script it out.

Alternatively you could create a separate cert for just the UFs, and assume that the password isn't secure, and use it only to encrypt communications, but not to prove identity.

0 Karma


Hi muebel,

thx for your advice! I already know the pdf - a really good presentation, but it doesn't solve this particular problem...

The status quo looks like this:
Every server has its own certificates (signed by our private CA) - one for Inter-Splunk communication and one for web. All our Universial Forwarders are using one single certificate (signe by our private CA too).
We configured the Universial Forwarder's outputs.conf to use our certificate (certificate-path and password). The outputs.conf is located in an app which is deployed via the Deployment Server. Funnily enough this password will be encrypted at restart of the Universial Forwarder. Therefore for the communication between Forwarder and Indexer our certificate is used and everything works fine.

However the communication between the Forwarders and the Deployment Server is the problem. For this connection the Forwarder uses the default Splunk certificate (the server.conf in $SPLUNK_HOME/etc/system/default refers to it). Trying to deploy a new server.conf (in which our certificate is configured) via the app mentioned above didn't solve the problem because the provided cleartext password wasn't encrypted... Providing an encrypted password in the new server.conf is useless as well, because every Forwarder uses its own splunk.secret file to decrypt the password.


0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...