Getting Data In

For Splunk Enterprise, pre 6.3, default root certificates expire on July 21, 2016 - Universal Forwarder?

opmlh0
Engager

Does the default root certificate expiration on July 21, 2016 affect the "universal forwarders" ?
What is the expiration date of the new root certificate that we are asked to replace the July 21 expiring one with?

0 Karma
1 Solution

bgraabek_splunk
Splunk Employee
Splunk Employee

The certificate expiration will only affect universal forwarders if you have enabled encrypted connections between the forwarders and the indexers

For more information and specifically on the forwarder question, see point 4 in the answer here:
https://answers.splunk.com/answers/395886/for-splunk-enterprise-splunk-light-and-hunk-pre-63.html

View solution in original post

0 Karma

bgraabek_splunk
Splunk Employee
Splunk Employee

The certificate expiration will only affect universal forwarders if you have enabled encrypted connections between the forwarders and the indexers

For more information and specifically on the forwarder question, see point 4 in the answer here:
https://answers.splunk.com/answers/395886/for-splunk-enterprise-splunk-light-and-hunk-pre-63.html

View solution in original post

0 Karma

realsplunk
Motivator

Hello, is it possible that Splunkforwarder still works if the cacert.pem on the indexer is expired and from different certificate authority? We have sslVerifyServerCert = false set on the fwd.

Thanks.

0 Karma

sim_tcr
Communicator

How do i confirm that my forwarder not connecting to indexers using encrypted?

07-14-2016 08:53:08.462 -0400 INFO  TcpOutputProc - Connected to idx=xx.xx.xxx.xx:9997 using ACK.

Thats the logs shows

0 Karma

sloshburch
Ultra Champion

The ACK has to do with the acknowledgement setting of forwarding.

If your indexer is set up with splunktcp-ssl inputs then it should be receiving SSL (encrypted) over that port. If there are ports in the inputs for TCP (without ssl) then see what is connecting to that port in the logs to find non SSL connections.

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!