Getting Data In

SSL encryption and authentication between Heavy Forwarder and Indexer

Path Finder


I have a doubt with respect to the below stanzas in Heavy forwarder and indexers. Will the below stanzas ensures SSL authentication only OR it will encrypt the communication as well? If it ensures encryption as well can you please put some light?

outputs.conf in Heavy Forwarder

defaultGroup = splunkssl

server =
sslRootCAPath = $SPLUNK_HOME/etc/auth/mycerts/myCACertificate.pem
sslCertPath = $SPLUNK_HOME/etc/auth/mycerts/myForwarderCertificate.pem
sslPassword = $%^!@#%
sslVerifyServerCert = true

sslCommonNameToCheck =

inputs.conf in Indexer

rootCA = $SPLUNK_HOME/etc/auth/mycerts/myCACertificate.pem
serverCert = $SPLUNK_HOME/etc/auth/mycerts/myIndexerCertificate.pem
password = &#^#$%
requireClientCert = true

compressed = true

0 Karma

Splunk Employee
Splunk Employee

Yes, data will be encrypted. If you check data packets by tcpdump or wireshark, you won't be able to see the data content.

Splunk s2s(splunk to splunk, forwarder to indexer) SSL setting always enable SSL encryption.
SSL Certificate Authentication is to validate CA authority and the Server's Common Name in the indexer's certificate by adding "sslVerifyServerCert" and "sslCommonNameToCheck"

A few links related to this topic

0 Karma
Get Updates on the Splunk Community!

Index This | Why do they call it hyper text?

November 2023 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

State of Splunk Careers 2023: Career Resilience and the Continued Value of Splunk

For the past three years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

The Great Resilience Quest: 9th Leaderboard Update

The ninth leaderboard update (11.9-11.22) for The Great Resilience Quest is out >> Kudos to all the ...