Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Squid proxy & universal forwarder

willemjongeneel
Communicator
‎08-21-2019 02:46 AM

Hello,

I'm trying to send data from a directory on a server to Splunk Cloud using the universal forwarder. This traffic goes through a squid proxy. I've tried to configure the proxy in server.conf:

[proxyConfig]
http_proxy = http//:8080
https_proxy = https//:8080

Port 8080 is open for tcp traffic.

I am able to connect from the server to the proxy using telnet, I am not able to connect to the indexers using telnet, however this should be possible while connecting from the universal forwarder using the forwarder credentials package, right?

The forwarder seems to be unable to connect to the indexers. splunkd file has the following warnings:

TcpOutputProc - 'sslCertPath' deprecated; use 'clientCert' instead..
Cooked connection to ip=:9997 timed out.

In the splunkd text file I don't see anything about the proxy I configured either, should this show in the splunkd file?

Does anyone have an idea on how to troubleshoot this issue?

Thanks, kind regards,
Willem Jongeneel

0 Karma
Reply

dhihoriya_splun
Splunk Employee
Splunk Employee
‎08-21-2019 02:52 AM

Hi @willemjongeneel

To connect with indexer from Splunk UF you have to add SSL cert configuration in outputs.conf file of the UF:

[tcpout]
defaultGroup = my_indexers

[tcpout:my_indexers]
server = your indexer DNS: port on which you want to send the data

sslCertPath = *******
sslRootCAPath = *********
sslPassword = ********

sslCommonNameToCheck = ********
sslVerifyServerCert = true
useClientSSLCompression = true
0 Karma
Reply

willemjongeneel
Communicator
‎08-21-2019 04:25 AM

Hello,

Shouldnt these configurations come from the universal forwarder credential package in managed splunk cloud?

Kind regards,
Willem

0 Karma
Reply

dhihoriya_splun
Splunk Employee
Splunk Employee
‎08-22-2019 07:13 AM

No, It will not come with universal forwarder credential package in managed Splunk cloud. We have to add explicitly in UF.

0 Karma
Reply

willemjongeneel
Communicator
‎08-23-2019 12:31 AM

Can you tell me where I can find this information? If I am connecting from UF to the indexers from servers that do not connect through a proxy, I never have to add this to the outputs.conf. Also, should it be in etc/apps/SplunkUniversalForwarder/default/outputs.conf ?

Thanks, kind regards,
Willem

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...