Getting Data In

SSL encryption and authentication between Heavy Forwarder and Indexer

Path Finder


I have a doubt with respect to the below stanzas in Heavy forwarder and indexers. Will the below stanzas ensures SSL authentication only OR it will encrypt the communication as well? If it ensures encryption as well can you please put some light?

outputs.conf in Heavy Forwarder

defaultGroup = splunkssl

server =
sslRootCAPath = $SPLUNK_HOME/etc/auth/mycerts/myCACertificate.pem
sslCertPath = $SPLUNK_HOME/etc/auth/mycerts/myForwarderCertificate.pem
sslPassword = $%^!@#%
sslVerifyServerCert = true

sslCommonNameToCheck =

inputs.conf in Indexer

rootCA = $SPLUNK_HOME/etc/auth/mycerts/myCACertificate.pem
serverCert = $SPLUNK_HOME/etc/auth/mycerts/myIndexerCertificate.pem
password = &#^#$%
requireClientCert = true

compressed = true

0 Karma

Splunk Employee
Splunk Employee

Yes, data will be encrypted. If you check data packets by tcpdump or wireshark, you won't be able to see the data content.

Splunk s2s(splunk to splunk, forwarder to indexer) SSL setting always enable SSL encryption.
SSL Certificate Authentication is to validate CA authority and the Server's Common Name in the indexer's certificate by adding "sslVerifyServerCert" and "sslCommonNameToCheck"

A few links related to this topic

0 Karma
Get Updates on the Splunk Community!

Devesh Logendran, Splunk, and the Singapore Cyber Conquest

At this year’s Splunk University, I had the privilege of chatting with Devesh Logendran, one of the winners in ...

There's No Place Like Chrome and the Splunk Platform

WATCH NOW!Malware. Risky Extensions. Data Exfiltration. End-users are increasingly reliant on browsers to ...

Customer Experience | Join the Customer Advisory Board!

Are you ready to take your Splunk journey to the next level? 🚀 We invite you to join our elite squad ...