I'm trying to use the token authentication between an indexer and a universal forwarder. All seems to be good on my indexer, but the UF doesn't seem to understand the configuration.
This is my configuration in /local/outputs.conf:
defaultGroup = index
token = 8-4-4-4-12
When I restart the Splunk daemon, the token stays in clear in the configuration file and on the indexer, I have this log: "token not sent by forwarder!"
If I specify that without the token, the UF works very well.
Does somebody know where I'm wrong?
Bonus question: Does anyone know how the token is created (urand, ...)?
Could you double check that the token that you have put in outputs.conf is indeed a valid one. That is, it has the same value which you got when you generated on indexer.
Some key points to keep in mind.
1) Not all strings are valid tokens, they are GUID's. If it is not a valid token it will not be sent from the forwarder to indexer.
2) Your token stays in plain text because string '8-4-4-4-12' is not a valid guid, since it is not a valid token we dont even look at it from the perpective of using it or encrypting it.
Technically you should not have to care about how tokens are generated by indexer. You should treat them as opaque objects from your side.