Monitoring Splunk
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk supported S2S protocols and enableOldS2SProtocol (oldest protocol) explained

hrawat
Splunk Employee
Splunk Employee
‎03-13-2025 09:05 AM

Are you recommending enableOldS2SProtocol=true?
Are you implementing  enableOldS2SProtocol=true?

If yes, read below.

Splunk has dropped support for oldest S2S version. However added enableOldS2SProtocol config to allow forwarder use oldest protocol.

With enableOldS2SProtocol=true, forwarder is allowed to  use oldest protocol (protocol level 0). First ever protocol. You are essentially using almost 20 years old protocol.


With enableOldS2SProtocol=false, forwarder is allowed to  use minimum protocol level 1 with negotiateProtocolLevel config.

If negotiateProtocolLevel is not set( by default not set), then forwarder and receiver will be negotiating latest common protocol supported by forwarder and receiver.
If you are on Splunk 9.2.x receiver and forwarder is 9.0.x and above, then protocol 6 is being used.

When protocol negotiation happens between fwd and receiver, if the receiver says  protocol 0, fwd does not accept that and still use minimum supported protocol 1 unless enableOldS2SProtocol=true is set on fwd.

Suggesting enableOldS2SProtocol=true on fwd means receiver is only capable of protocol 0 and forcing fwd to use protocol 0.

Suggesting enableOldS2SProtocol=true and negotiateProtocolLevel=0 on fwd means fwd is forced to use protocol 0 regardless of receiver's protocol level.

Protocol levels.
0: Maximum network traffic over S2S connection.
1: Network traffic optimization over S2S connection.
2: Additional network traffic optimization over S2S connection.
3: Metric support.
4: Ack support for rawless metric events.
5: Flag potential dup events.
6: Flag for cloned metric events so that cloned events exempted from license usage.
7: SSL certificate requests

Make an informed decision.

Labels (1)
Labels
Reply

jstratton
Explorer
‎04-10-2025 06:27 PM
@hrawat wrote:


Protocol levels.
0: Maximum network traffic over S2S connection.
1: Network traffic optimization over S2S connection.
2: Additional network traffic optimization over S2S connection.
3: Metric support.
4: Ack support for rawless metric events.
5: Flag potential dup events.
6: Flag for cloned metric events so that cloned events exempted from license usage.
7: SSL certificate requests

This is the first time I recall seeing any documentation on the protocol levels. Can you elaborate what "7: SSL certificate requests" means?

0 Karma
Reply

hrawat
Splunk Employee
Splunk Employee
‎04-11-2025 06:28 AM

>Can you elaborate what "7: SSL certificate requests" means?

Means if you have new certificate rotated by receiver then clients will also rotate new certificate. This will help not manually restarting thousands of fwds to reload certificate.

0 Karma
Reply

hrawat
Splunk Employee
Splunk Employee
‎04-11-2025 06:25 AM

SSL cert files are reloaded since these are essentially not part of the outputs.conf.
However if you changed cert path in outputs.conf, then it was not honored.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
Top