Getting Data In
Highlighted

Forwarder load balancing over SSL to indexer cluster ?

Engager

Currently trying to load balance data from forwarder to indexer cluster ( idx1 & idx2) over ssl .

So this configuration is correct at forwarder outputs.conf?

[tcpout]
defaultGroup = LB

[tcpout:LB]
server = idx2:9998,idx1:9998

clientCrt = XXX
sslPassword = XXX
sslVerifyServerCert = XXX

problem statement - already try above configuration but LB happening only on idx2 until I make following change in idx1 inputs.conf

here i know that data is not moving over SSL

[splunktcp://9998]
connection_host = ip

[splunktcp-ssl:9998]
disabled = 0
[SSL]
serverCert = XXX
sslPassword = XXX
requireClientCert = false

idx2 inputs.conf

[splunktcp-ssl:9998]
disabled = 0
[SSL]
serverCert = XXX
sslPassword = XXX
requireClientCert = false

0 Karma
Highlighted

Re: Forwarder load balancing over SSL to indexer cluster ?

Communicator

Your outputs.conf looks fine to me, but I would add indexer acknowledgement to it. Add ** useACK = true ** under your tcpout:LB stanza to look like this:
** [tcpout:LB]
server = idx2:9998,idx1:9998
useACK = true **

According to Splunk Docs, [splunktcp-ssl:####] is supposed to be used to receive PARSED data from a forwarder. Unless you are using a heavy forwarder that is parsing data before sending to your indexers, use [tcp-ssl:####]. See Section: Configure a TCP input over SSL

I am reading conflicting statements about which stanza to use, but I know the inputs.conf.spec file states what I mentioned above about [splunktcp-ssl] vs [tcp-ssl]

Other than those changes. Make sure that idx2's inputs.conf matches exactly idx1's inputs.conf (which I am sure you have). I would maybe try running a btool check and see if inputs.conf has any stanza errors. $SPLUNK_HOME/bin/splunk btool inputs list --debug on idx1. May I also suggest some strategies mentioned on Splunk Docs Troubleshoot your forwarder to indexer authentication

0 Karma
Highlighted

Re: Forwarder load balancing over SSL to indexer cluster ?

Engager

Thanks for suggest and now it is working .
there was no change done within inputs.config as it is working fine with splunktcp-ssl stanza . only change made with outputs.conf

@13tsavage - thanks for help .