I keep hearing flip-flop answers from people saying that if I upgrade Splunk Enterprise 7.0, then I won't be able to receive logs from Windows 2003 servers with a Splunk universal forwarder on it.
Is this true or not?
There is significant cross-version compatibility between forwarders and indexers, so upgrading your indexers will often be fine. See this compatibility matrix for the complete picture: https://docs.splunk.com/Documentation/Forwarder/7.2.3/Forwarder/Compatibilitybetweenforwardersandind...
It is true that you won't get new forwarder versions for your 2k3 boxes though.
You can have forwarders from version 6.0.0 (so long as you're using the latest release from each set [6.1.13, for example]) send data to 7.x but you will need to enable TLS encryption with strong ciphers from your universal forwarders (
outputs.conf) to your indexer(s) (
outputs.conf for the UF
[tcpout] defaultGroup = ssl_indexers [tcpout:ssl_indexers] server = server1:9997, server2:9997, server3.9997 sslCertPath = $SPLUNK_HOME/etc/apps/forwarder_ssl_outputs/local/splunk-forwarder.pem sslPassword = password sslRootCAPath = $SPLUNK_HOME/etc/apps/forwarder_ssl_outputs/local/cacert.crt
inputs.conf for the indexer(s)
[splunktcp-ssl:9997] connection_host = none [SSL] password = $1$hashedCertPassword rootCA = $SPLUNK_HOME/etc/auth/your_org/cacert.pem serverCert = $SPLUNK_HOME/etc/auth/your_org/server1.9997.pem sslVersions = tls1.2 cipherSuite = ECDH+AESGCM:DH+AESGCM:RSA+AESGCM:RECDH+AES256:ECDH+AES128:DH+AES256:DH+AES:SA+AES:!SSLv3:!eNULL:!aNULL:!MD5:!DSS:!3DES:!SHA:!RC4:!EXPORT:!PSK
I have 6.1.13 forwarders on Windows XP sending data to 7.1.5 indexers and communicated properly with the deployment server.
See https://wiki.splunk.com/images/f/fb/SplunkTrustApril-SSLipperySlopeRevisited.pdf for more information.