Hey everyone. First time SSL setup (IDX & UF both v8.x) and cert creation (never done before). Had a question about verifying if things worked. I walked through splunk docs and got to the point of verifying connection.
On my IDX i can run:
index=_internal source=*metrics.log* group=tcpin_connections |
dedup hostname | table _time hostname version sourceIp destPort ssl
I do get expected result returned port (9998) and SSL = true. BUT this was the only part of the instructions that i could follow to verify SSL items. I can't find anything else within Splunkd or index=_* referencing what is being mentioned in the validating procedures for the UF portion. I can see that the UF has the following output in splunkd "Connected to idx=10.202.20.229:9998". This UF is only setup to forward to the one server over port 9998.
and the expected output mentioned Verify return code: 0 (ok) was instead returning code: 18 (self signed certificate). Then on the UF i attempted to monitor a random log file that i update. On the main Splunk server i can see the data come in. I'm just second guessing if i did things correctly given i wasn't able to validate internal Splunk logs.