Getting Data In

SSL between forwarders and indexers

jatin_patel
Path Finder

Is it possible to have index cluster tier which can support both non-ssl and ssl forwarders without running multiple instances?

Tags (3)
1 Solution

burwell
SplunkTrust
SplunkTrust

Building on above answers. Here are examples at least for Splunk 6.6

inputs.conf on the indexer

# non ssl
[splunktcp://<non_ssl_port>]

# ssl
[splunktcp-ssl:<ssl_port>]
[SSL]
requireClientCert = true
sslCommonNameToCheck = mycommonName
serverCert = /path/to/ssl/servercert.pem

outputs.conf on a forwarder using SSL

[tcpout]
defaultGroup             = splunkindexer-ssl

[tcpout:splunkindexer-ssl]
autoLBFrequency = 30
compressed  = false
server  = server1:<ssl_port>,server2:<ssl_port>,server3:<ssl_port>
clientCert  = /path_to_cert/servercert.pem
sslPassword  = password
sslRootCAPath  = /path_to_ca_cert/ca.cert.pem
sslCommonNameToCheck = mycommonName
sslVersions = tls1.2

View solution in original post

jatin_patel
Path Finder

Thanks everyone!!

0 Karma

burwell
SplunkTrust
SplunkTrust

Building on above answers. Here are examples at least for Splunk 6.6

inputs.conf on the indexer

# non ssl
[splunktcp://<non_ssl_port>]

# ssl
[splunktcp-ssl:<ssl_port>]
[SSL]
requireClientCert = true
sslCommonNameToCheck = mycommonName
serverCert = /path/to/ssl/servercert.pem

outputs.conf on a forwarder using SSL

[tcpout]
defaultGroup             = splunkindexer-ssl

[tcpout:splunkindexer-ssl]
autoLBFrequency = 30
compressed  = false
server  = server1:<ssl_port>,server2:<ssl_port>,server3:<ssl_port>
clientCert  = /path_to_cert/servercert.pem
sslPassword  = password
sslRootCAPath  = /path_to_ca_cert/ca.cert.pem
sslCommonNameToCheck = mycommonName
sslVersions = tls1.2

jatin_patel
Path Finder

Thanks so much for two answers!!

so,
I need inputs.conf with two ports one for one port for non-ssl(default 9997) and another for SSL?
Then just use SSL configs in outputs.conf for each forwarders where we need SSL?

is there some splunk docs out there which I can take a look?

0 Karma

skalliger
SplunkTrust
SplunkTrust

Just look at the inputs.conf specifictaions. It's all described there.

Skalli

0 Karma

ddrillic
Ultra Champion

Sure, you can do that by setting on each forwarder outputs.conf as you choose to with or without ssl. If your outputs.conf is deployed via the apps then you can deploy to each set of forwarders the desired ssl or not configurations.

0 Karma

jkuepker_splunk
Splunk Employee
Splunk Employee

Yes, but they cannot be on the same port. You will need to have one [splunktcp-ssl:] stanza and [splunktcp:] stanza in your inputs.conf.

0 Karma
Get Updates on the Splunk Community!

New Learning Videos on Topics Most Requested by You! Plus This Month’s New Splunk ...

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

How I Instrumented a Rust Application Without Knowing Rust

As a technical writer, I often have to edit or create code snippets for Splunk's distributions of ...

Splunk Community Platform Survey

Hey Splunk Community, Starting today, the community platform may prompt you to participate in a survey. The ...