Getting Data In

On a Heavy forwarder that forwards events to a 3rd party device, how can I encrypt the traffic using certificates?

New Member

I have an app on a HF that forwards events to a 3rd party device via unencrypted channel. I would like to encrypt the traffic using certificates which I received from a 3rd party (root.crt and sender.crt).

This is the output.conf stanza I am trying to use which does not seem to work:

    server = <IP>:<Port>
    sslRootCAPath = $SPLUNK_HOME/etc/apps/3rdparty/local/root.crt
    sslCertPath = $SPLUNK_HOME/etc/apps/3rdparty/local/sender.crt
    requireClientCert = false
    sslVerifyServerCert = false
    sendCookedData = false

"Error initializing SSL context - check splunkd.log regarding configuration error for server "

What additional steps do I need to take to accomplish this?

0 Karma


What does splunkd.log say about configuration errors? I think the sslPassword setting is missing. Also, you need to configure inputs.conf on your receiver.

The configurations structure which worked for me is,

outputs.conf (on forwarders):

sslPassword = xxxxxxxxxxxxxxxxxxxxxx
sslVersions = tls1.2
clientCert = $SPLUNK_HOME/etc/auth/myOrg/myOrgFWDcert.pem
sslRootCAPath = $SPLUNK_HOME/etc/auth/myOrg/myOrgCACertificate.pem
channelReapInterval = 60000
channelReapLowater = 10
channelTTL = 300000
dnsResolutionInterval = 300
negotiateNewProtocol = true
socksResolveDNS = false
useClientSSLCompression = true
server =, idx.com2:9998
useACK = true   

inputs.conf (On indexers):

serverCert = $SPLUNK_HOME/etc/auth/myOrg/myOrgServerCertificate.pem
sslPassword = xxxxxxxxxxxxxxxxx
sslVersions = tls1.2


Additionally, please refer to these links for more information,

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!