Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Securing communcation between Universal Forwarder and Heavy Forwarder

rwcbp
Explorer
‎07-01-2015 07:37 AM

Splunk Docs do not specifically state that default encryption is active between Universal Forwarders and Heavy Forwarders, is it?

Also, if a self-signed or third party cert is used for this environment, is the Universal Forwarder the "client" of the Heavy Forwarder in this example?

Reply
1 Solution
Solved! Jump to solution
Solution

dwaddle
SplunkTrust
SplunkTrust
‎07-01-2015 07:47 AM

By default, no, there is no crypto between forwarders and indexers or forwarders and intermediate forwarders.

If you choose to do encryption, the certificate situation is up to you. However, I would STRONGLY suggest use of either a private CA or 3rd party certs. Don't use the default self-signed stuff. George Starcher and I did a .conf talk on this subject at .conf 2014, should be able to find it in the talk archives.

In the case of UF -> HF -> Indexer, the UF is an "SSL Client", the HF Is both an SSL "server" (toward the UF) and an SSL "client" (toward the indexer), and the indexer is an SSL "server"

View solution in original post

Reply
Solved! Jump to solution

karthikeyan_k14
New Member
‎06-07-2017 09:07 PM

In the case of UF -> HF -> Indexer, the UF is an "SSL Client", the HF Is both an SSL "server" (toward the UF) and an SSL "client" (toward the indexer), and the indexer is an SSL "server"...

we are also deploying the same setup, but HF is in cluster mode for LB with fail over setup.
can anyone help the SSL certificate configuration of all (UF,HF and IDX) input.conf and output,conf. We are deployed 3rd party pki certificate. using Common name fro all Forwarders,IDX and DS

I need below answers for below queries
1. Have to initiate separate certificate for all forwarders with rootpath ? or same has to use in ssl client and server
2. please share sample configuration

0 Karma
Reply
Solved! Jump to solution

rwcbp
Explorer
‎07-01-2015 07:50 AM

Thanks for the quick response. I will search for the .conf 2014 discussion, as well.

0 Karma
Reply
Solved! Jump to solution
Solution

dwaddle
SplunkTrust
SplunkTrust
‎07-01-2015 07:47 AM

By default, no, there is no crypto between forwarders and indexers or forwarders and intermediate forwarders.

If you choose to do encryption, the certificate situation is up to you. However, I would STRONGLY suggest use of either a private CA or 3rd party certs. Don't use the default self-signed stuff. George Starcher and I did a .conf talk on this subject at .conf 2014, should be able to find it in the talk archives.

In the case of UF -> HF -> Indexer, the UF is an "SSL Client", the HF Is both an SSL "server" (toward the UF) and an SSL "client" (toward the indexer), and the indexer is an SSL "server"

Reply
Solved! Jump to solution

dwaddle
SplunkTrust
SplunkTrust
‎07-01-2015 07:55 AM

Just remembered, I posted a copy of the slides post .conf with some followup comments based on audience questions at http://duanewaddle.com/splunk-conf-2014/

0 Karma
Reply
Solved! Jump to solution

rwcbp
Explorer
‎07-01-2015 08:02 AM

Much appreciated. Certainly saves time.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...