Universal Forwarder Upgrades and our Deployment Se...

Getting Data In

I've been working on automating our UF upgrade process and have found what appears to be an issue with a deprecated key, sslKeysfilePassword ...

When I upgrade an old 6.1 or 6.2 host beyond Splunk 6.5, I've found that while the UF can still maintain forwarding over SSL to our indexers, they can no longer handshake with our deployment server.

Spending most of my week on this, I've come across a workaround where, prior to performing the upgrade ... ( stopping splunk; tar -zxf blah ), if I remove the deprecated key "sslKeysfilePassword" from etc/system/local/server.conf ... the handshake problem is no longer an issue.

The odd thing here is that, this is the only thing that had to be changed to rectify the issue, but my understanding of a deprecated object is that it would just be ignored. It doesn't appear to be the case in this instance.

So, this isn't really a question perse, but has anyone ever run up against this before?

Get Updates on the Splunk Community!

Universal Forwarder Upgrades and our Deployment Server

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

Announcing Modern Navigation: A New Era of Splunk User Experience

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

Join the Conversation