I'm using this on deployment-apps (universal forwarder deployment) :
[tcpout] defaultGroup = default-autolb-group [tcpout:default-autolb-group] server = indexer:9997 [tcpout-server://indexer:9997] sslCertPath = $SPLUNK_HOME/etc/apps/APP_OUTPUTS_BASE_PPR/local/server.pem sslPassword = password sslRootCAPath = $SPLUNK_HOME/etc/apps/APP_OUTPUTS_BASE_PPR/local/cacert.pem sslVerifyServerCert = false
I'm 99% sure sslPassword for my cacert.pem is not 'password', so isn't it working for server.pem instead (default splunk cert) ?
If I use the correct cacert pass, I get
ssl23_get_client_hello unknown protocol on indexer and
TcpOutputFd Read error on forwarder.
Thanks for your clarification.
sorry for this detail:
the steps you have to do are:
If you insert outputs.conf in default directory, password will be encrypted in local directory and not encripted in default directory.
So why at http://docs.splunk.com/Documentation/Splunk/6.2.3/Admin/Outputsconf we have :
The password associated with the CAcert.
The default Splunk CAcert uses the password "password".
There is no default value.*
Thanks a lot!