Getting Data In

How to encrypt communication between a universal forwarder and heavy forwarder?

shaileshmali
Path Finder

I am not able to configure heavy forwarder inputs.conf file to receive encrypted traffic.

1) config inputs.conf on heavy forwarder is given below. but netstat -an does not show heavy forwarder is listening on port 9998

[splunktcp-ssl:9998]
compressed = true

[SSL]
password = $1$YJqLPm4skNlFOQ==
rootCA = /opt/splunk/etc/certs/ca.pem
serverCert = /opt/splunk/etc/certs/splunk-dev.pem

2) On universal forwarder I am using app with outputs.conf

[tcpout]
defaultGroup = splunkssl
sendCookedData = true
dnsResolutionInterval = 300

[tcpout:splunkssl]
compressed = true
server = heavy forwarder name :9998
sslCertPath = C:\Program Files\SplunkUniversalForwarder\etc\apps\FW_DEV_NA_Encrypt\default\certs\splunk-dev.pem
sslPassword = testmy123
sslRootCAPath = C:\Program Files\SplunkUniversalForwarder\etc\apps\FW_DEV_NA_Encrypt\default\certs\ca.pem
sslVerifyServerCert = false
0 Karma

m4him7
Path Finder

I had a similar issue and found that I had an outputs.conf file in my etc/system/local directory that was being used instead of the outputs.conf in my app directory. I renamed the wrong outputs.conf file and restarted Splunk. You can tell if your outputs.conf file is being used as the sslPassword = testmy123 will be encrypted after it is read the first time. If you have an outputs.conf file in another directory being used first it may be that it is using a different port which is another indication that the wrong outputs.conf file is being used.

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Laser Bananas and Edge Hubs: Exploring Operational Technology (OT) Data Through a ...

  OT is a different environment to traditional IT and can have interesting challenges when interfacing the ...

Event Series: Mastering AI Tokenomics and Splunk Agent Observability

Beyond the Black Box: Correlating AI Performance and Tokenomics with Splunk Agent Observability   As ...

span_metrics: The OpenTelemetry-Idiomatic Way to See Inside Your Services

You open a trace in Splunk Observability Cloud and everything looks fine. One root span, order-pipeline, with ...