Solved: How do i forward to multiple indexers w/SSL

Chris_R_ · ‎02-24-2010

I have two indexers and a (various#) number of forwarders, how can i use SSL for all traffic between these boxes?

Chris_R_ · ‎02-24-2010

Forwarding to multiple indexers via SSL encryption is entirely possible. Here's an example using a cloning configuration, in this config the SSL cert on the forwarder is signed by both indexers and we are using the common name to provide authorization.
Remember to make sure your certs are in the specified directories on both indexers and forwarders.

[tcpout]
defaultGroup = index-server1, index-server2
disabled = false

[tcpout:index-server1]
server = index1.somedomain.com:9777

[tcpout:index-server2]
server = index2.somedomain.com:9777

[tcpout-server://index-server1.somedomain.com:9997]
sslCertPath = $SPLUNK_HOME/etc/auth/fowarder_cert.pem
sslRootCAPath = $SPLUNK_HOME/etc/auth/CAcert.pem
sslVerifyServerCert = true
sslCommonNameToCheck = splunk_index.somedomain.com

[tcpout-server://index-server2.somedomain.com:9997]
sslCertPath = $SPLUNK_HOME/etc/auth/fowarder_cert.pem
sslRootCAPath = $SPLUNK_HOME/etc/auth/CAcert.pem
sslVerifyServerCert = true
sslCommonNameToCheck = splunk_index.somedomain.com

For further examples on how to setup forwarding and receiving using SSL encryption see our official documents Splunk SSL documentation

View solution in original post

Chris_R_ · ‎02-24-2010

Forwarding to multiple indexers via SSL encryption is entirely possible. Here's an example using a cloning configuration, in this config the SSL cert on the forwarder is signed by both indexers and we are using the common name to provide authorization.
Remember to make sure your certs are in the specified directories on both indexers and forwarders.

[tcpout]
defaultGroup = index-server1, index-server2
disabled = false

[tcpout:index-server1]
server = index1.somedomain.com:9777

[tcpout:index-server2]
server = index2.somedomain.com:9777

[tcpout-server://index-server1.somedomain.com:9997]
sslCertPath = $SPLUNK_HOME/etc/auth/fowarder_cert.pem
sslRootCAPath = $SPLUNK_HOME/etc/auth/CAcert.pem
sslVerifyServerCert = true
sslCommonNameToCheck = splunk_index.somedomain.com

[tcpout-server://index-server2.somedomain.com:9997]
sslCertPath = $SPLUNK_HOME/etc/auth/fowarder_cert.pem
sslRootCAPath = $SPLUNK_HOME/etc/auth/CAcert.pem
sslVerifyServerCert = true
sslCommonNameToCheck = splunk_index.somedomain.com

For further examples on how to setup forwarding and receiving using SSL encryption see our official documents Splunk SSL documentation

hexx · ‎09-23-2010

Information about setting up SSL forwarding with host authentication and self-signed certificates can be found here : http://answers.splunk.com/questions/7164/how-do-i-set-up-ssl-forwarding-with-new-self-signed-certifi...

How do i forward to multiple indexers w/SSL

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation