Forwarding to multiple indexers via SSL encryption is entirely possible.
Here's an example using a cloning configuration, in this config the SSL cert on the
forwarder is signed by both indexers and we are using the common name to provide authorization.
Remember to make sure your certs are in the specified directories on both indexers and forwarders.
[tcpout]
defaultGroup = index-server1, index-server2
disabled = false
[tcpout:index-server1]
server = index1.somedomain.com:9777
[tcpout:index-server2]
server = index2.somedomain.com:9777
[tcpout-server://index-server1.somedomain.com:9997]
sslCertPath = $SPLUNK_HOME/etc/auth/fowarder_cert.pem
sslRootCAPath = $SPLUNK_HOME/etc/auth/CAcert.pem
sslVerifyServerCert = true
sslCommonNameToCheck = splunk_index.somedomain.com
[tcpout-server://index-server2.somedomain.com:9997]
sslCertPath = $SPLUNK_HOME/etc/auth/fowarder_cert.pem
sslRootCAPath = $SPLUNK_HOME/etc/auth/CAcert.pem
sslVerifyServerCert = true
sslCommonNameToCheck = splunk_index.somedomain.com
For further examples on how to setup forwarding and receiving using SSL encryption see our official documents Splunk SSL documentation
Forwarding to multiple indexers via SSL encryption is entirely possible.
Here's an example using a cloning configuration, in this config the SSL cert on the
forwarder is signed by both indexers and we are using the common name to provide authorization.
Remember to make sure your certs are in the specified directories on both indexers and forwarders.
[tcpout]
defaultGroup = index-server1, index-server2
disabled = false
[tcpout:index-server1]
server = index1.somedomain.com:9777
[tcpout:index-server2]
server = index2.somedomain.com:9777
[tcpout-server://index-server1.somedomain.com:9997]
sslCertPath = $SPLUNK_HOME/etc/auth/fowarder_cert.pem
sslRootCAPath = $SPLUNK_HOME/etc/auth/CAcert.pem
sslVerifyServerCert = true
sslCommonNameToCheck = splunk_index.somedomain.com
[tcpout-server://index-server2.somedomain.com:9997]
sslCertPath = $SPLUNK_HOME/etc/auth/fowarder_cert.pem
sslRootCAPath = $SPLUNK_HOME/etc/auth/CAcert.pem
sslVerifyServerCert = true
sslCommonNameToCheck = splunk_index.somedomain.com
For further examples on how to setup forwarding and receiving using SSL encryption see our official documents Splunk SSL documentation
Information about setting up SSL forwarding with host authentication and self-signed certificates can be found here : http://answers.splunk.com/questions/7164/how-do-i-set-up-ssl-forwarding-with-new-self-signed-certifi...