Getting Data In

SSL between forwarders and indexers

jatin_patel
Path Finder

Is it possible to have index cluster tier which can support both non-ssl and ssl forwarders without running multiple instances?

Tags (3)
1 Solution

burwell
SplunkTrust
SplunkTrust

Building on above answers. Here are examples at least for Splunk 6.6

inputs.conf on the indexer

# non ssl
[splunktcp://<non_ssl_port>]

# ssl
[splunktcp-ssl:<ssl_port>]
[SSL]
requireClientCert = true
sslCommonNameToCheck = mycommonName
serverCert = /path/to/ssl/servercert.pem

outputs.conf on a forwarder using SSL

[tcpout]
defaultGroup             = splunkindexer-ssl

[tcpout:splunkindexer-ssl]
autoLBFrequency = 30
compressed  = false
server  = server1:<ssl_port>,server2:<ssl_port>,server3:<ssl_port>
clientCert  = /path_to_cert/servercert.pem
sslPassword  = password
sslRootCAPath  = /path_to_ca_cert/ca.cert.pem
sslCommonNameToCheck = mycommonName
sslVersions = tls1.2

View solution in original post

jatin_patel
Path Finder

Thanks everyone!!

0 Karma

burwell
SplunkTrust
SplunkTrust

Building on above answers. Here are examples at least for Splunk 6.6

inputs.conf on the indexer

# non ssl
[splunktcp://<non_ssl_port>]

# ssl
[splunktcp-ssl:<ssl_port>]
[SSL]
requireClientCert = true
sslCommonNameToCheck = mycommonName
serverCert = /path/to/ssl/servercert.pem

outputs.conf on a forwarder using SSL

[tcpout]
defaultGroup             = splunkindexer-ssl

[tcpout:splunkindexer-ssl]
autoLBFrequency = 30
compressed  = false
server  = server1:<ssl_port>,server2:<ssl_port>,server3:<ssl_port>
clientCert  = /path_to_cert/servercert.pem
sslPassword  = password
sslRootCAPath  = /path_to_ca_cert/ca.cert.pem
sslCommonNameToCheck = mycommonName
sslVersions = tls1.2

jatin_patel
Path Finder

Thanks so much for two answers!!

so,
I need inputs.conf with two ports one for one port for non-ssl(default 9997) and another for SSL?
Then just use SSL configs in outputs.conf for each forwarders where we need SSL?

is there some splunk docs out there which I can take a look?

0 Karma

skalliger
Motivator

Just look at the inputs.conf specifictaions. It's all described there.

Skalli

0 Karma

ddrillic
Ultra Champion

Sure, you can do that by setting on each forwarder outputs.conf as you choose to with or without ssl. If your outputs.conf is deployed via the apps then you can deploy to each set of forwarders the desired ssl or not configurations.

0 Karma

jkuepker_splunk
Splunk Employee
Splunk Employee

Yes, but they cannot be on the same port. You will need to have one [splunktcp-ssl:] stanza and [splunktcp:] stanza in your inputs.conf.

0 Karma
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...