Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

SSL/TLS Configuration on Splunk Forwarder (Windows)

BRFZ
Communicator
‎03-24-2025 04:23 AM

Hello,

I’ve been reviewing the documentation for configuring SSL/TLS on a Splunk forwarder, but I couldn’t find the specific steps for setting it up on a Windows machine. Would anyone be able to provide the procedure or a link to the relevant documentation?

Best regards,

Labels (4)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎03-24-2025 06:37 AM

The documentation is about the same regardless of wheteher it's windows or linux. (the only minute difference is CA trust store definition if you use the OS store).

The question is what do you need.

There are two layers here.

1. Configuration of connection encryption (which should be enabled by default) and server's identity verification.

2. Configuration of forwarder authentication to your receiver with TLS.

You should first make sure that the first point is properly configured. Then you can go to configuring the second one. People often try to do both things at the same time and get confused with different settings and different results.

Reply

kiran_panchavat
Champion
‎03-24-2025 04:39 AM

@BRFZ 

  • A client certificate (e.g., client.pem) for the forwarder, including the private key.
  • The Certificate Authority (CA) certificate (e.g., cacert.pem) that signed the indexer’s server certificate.
  • Place these files in a secure directory on the Windows machine, such as C:\Program Files\SplunkUniversalForwarder\etc\auth\mycerts\. Create the mycerts folder if it doesn’t exist.
  • Open or create the outputs.conf file in C:\Program Files\SplunkUniversalForwarder\etc\system\local\. If it doesn’t exist, create it.
    Add the following configuration to specify the indexer(s) and enable TLS:
[tcpout]
defaultGroup = my_indexers

[tcpout:my_indexers]
server = <indexer_hostname>:9997
clientCert = C:\Program Files\SplunkUniversalForwarder\etc\auth\mycerts\client.pem
sslPassword = <password_for_client_certificate>
sslRootCAPath = C:\Program Files\SplunkUniversalForwarder\etc\auth\mycerts\cacert.pem
sslVerifyServerCert = true
sslCommonNameToCheck = <indexer_common_name>
useClientSSLCompression = true
  • Open or create the server.conf file in C:\Program Files\SplunkUniversalForwarder\etc\system\local\.
  • Add the following to specify the CA certificate for verifying the indexer:
[sslConfig]
sslRootCAPath = C:\Program Files\SplunkUniversalForwarder\etc\auth\mycerts\cacert.pem
  • This ensures the forwarder trusts the CA that signed the indexer’s certificate.
  • Restart the Splunk Forwarder:
  • cd C:\Program Files\SplunkUniversalForwarder\bin and splunk restart

  • Check the forwarder’s logs for errors in C:\Program Files\SplunkUniversalForwarder\var\log\splunk\splunkd.log. Look for messages related to TcpOutputProc or SSL/TLS issues (e.g., X509Verify or SSLCommon errors).

https://community.splunk.com/t5/Getting-Data-In/Why-is-my-Windows-Forwarder-SSL-Configuration-not-fo... 

Your forwarder would need SSL certs and configurations as well to enable SSL communication with your SSL enabled indexer. This documentation will give you all the

https://docs.splunk.com/Documentation/Splunk/9.4.1/Security/ConfigureSplunkforwardingtousesignedcert... 

 

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
Reply

BRFZ
Communicator
‎03-24-2025 05:47 AM

@kiran_panchavat,

Thank you for your response. I reviewed the documentation, and I found the following phrase for configuring SSL on both indexers and forwarders (non-Windows):

"On forwarders that do not run on Windows, open the server.conf configuration file for editing.
Add the following stanza and settings to the file:
[sslConfig]
sslRootCAPath = <absolute path to the certificate authority certificate>"

Based on this, it seems that the CA configuration is required only on non-Windows systems (Linux). Could you please confirm if this configuration is needed for Windows forwarders as well?

Thank you for your help!

0 Karma
Reply

kiran_panchavat
Champion
‎03-24-2025 05:56 AM

@BRFZ 

Check this community link 

https://www.reddit.com/r/Splunk/comments/sgeuhl/whats_the_deal_with_uf_hf_ssl_certs/ 

https://community.splunk.com/t5/Getting-Data-In/Why-is-my-Windows-Forwarder-SSL-Configuration-not-fo... 

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
Reply

kiran_panchavat
Champion
‎03-24-2025 05:53 AM

@BRFZ 

Yes, It's correct. 

 

kiran_panchavat_1-1742820785245.png

 

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
Reply

BRFZ
Communicator
‎03-28-2025 01:46 AM

Hello,

@kiran_panchavat, @PickleRick , @livehybrid 

Thank you for your responses; they were very helpful for me. However, I would like to know if you happen to know why I am getting ack set to false?

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎03-28-2025 03:09 AM

Hi @BRFZ 

useAck=false is the default value in outputs.conf for whether or not to use indexer acknowledgment.

Essentially, with this set to true it means that the forwarder saves the event until the indexer has acknowledged that it has fully processed the event (typically that it is written to disk).

For more info check out https://docs.splunk.com/Documentation/Splunk/9.4.1/Admin/Outputsconf#:~:text=Distributed%20Deploymen...

Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards

Will 

0 Karma
Reply

kiran_panchavat
Champion
‎03-24-2025 04:34 AM

@BRFZ 

Your forwarder would need SSL certs and configurations as well to enable SSL communication with your SSL enabled indexer. This documentation will give you all the

https://docs.splunk.com/Documentation/Splunk/9.4.1/Security/ConfigureSplunkforwardingtousesignedcert... 

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
Reply

livehybrid
SplunkTrust
SplunkTrust
‎03-24-2025 04:30 AM

Hi @BRFZ 

I think the best place to start for setting up SSL/TLS is at https://docs.splunk.com/Documentation/Splunk/9.4.1/Security/ConfigureSplunkforwardingtousesignedcert...

Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards

Will

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...