Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- SSL on universal, heavy, and splunk server?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Reading the questions that reference SSL certificates for splunk data I'm confused. If I simply use SSL to encrypt data from universal forwarders am I protected? I have universal forwarders sending data to heavy forwarders and heavy forwarders sending data to my splunk server. To be secure do i really have to put the ssl certificate and password on every universal and heavy forwarder? What to i gain by putting the certificate on the splunk server/indexer?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi there,
it depends on what you want to protect yourself from. If you just want to make sure that your network traffic is not transmitted in plain text, then gkanapathys answer in the following post is fine:
http://splunk-base.splunk.com/answers/397/how-to-configure-ssl-for-forwarding-and-receiving-data
If you want to make sure, that only known forwarders can send data to an indexer (1) and if you want to make sure that your forwarders are sending data to your known & trusted indexer(s)(2) then hexxs answer will be the way to go:
http://splunk-base.splunk.com/answers/7164/how-do-i-set-up-ssl-forwarding-with-new-self-signed-certi...
(1) A risk I see here is that anyone could send data to an indexer (or the heavy forwarder in your case) and you would end up with rubbish/unwanted data in your indexes
(2) If the forwarders do not verify the indexer (or the heavy forwarder in your case) someone could set up a fake server and might manage to get the forwarders to send their data to it
So I guess it depends on how critical the data is you have in Splunk and whether you are sending the traffic over an insecure network (the internet) or not and whether you can afford to spend some time on this or not.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi there,
it depends on what you want to protect yourself from. If you just want to make sure that your network traffic is not transmitted in plain text, then gkanapathys answer in the following post is fine:
http://splunk-base.splunk.com/answers/397/how-to-configure-ssl-for-forwarding-and-receiving-data
If you want to make sure, that only known forwarders can send data to an indexer (1) and if you want to make sure that your forwarders are sending data to your known & trusted indexer(s)(2) then hexxs answer will be the way to go:
http://splunk-base.splunk.com/answers/7164/how-do-i-set-up-ssl-forwarding-with-new-self-signed-certi...
(1) A risk I see here is that anyone could send data to an indexer (or the heavy forwarder in your case) and you would end up with rubbish/unwanted data in your indexes
(2) If the forwarders do not verify the indexer (or the heavy forwarder in your case) someone could set up a fake server and might manage to get the forwarders to send their data to it
So I guess it depends on how critical the data is you have in Splunk and whether you are sending the traffic over an insecure network (the internet) or not and whether you can afford to spend some time on this or not.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
Data Management Digest – May 2026
