Additional SSL Verification

New Member

Hey everyone.
First time SSL setup (IDX & UF both v8.x) and cert creation (never done before). Had a question about verifying if things worked. I walked through splunk docs and got to the point of verifying connection.

On my IDX i can run:

index=_internal source=*metrics.log* group=tcpin_connections | 
dedup hostname | table _time hostname version sourceIp destPort ssl

I do get expected result returned port (9998) and SSL = true.
BUT this was the only part of the instructions that i could follow to verify SSL items. I can't find anything else within Splunkd or index=_* referencing what is being mentioned in the validating procedures for the UF portion. I can see that the UF has the following output in splunkd "Connected to idx=". This UF is only setup to forward to the one server over port 9998.

The next steps i followed where on this page

openssl s_client -connect <server>:<port>

and the expected output mentioned Verify return code: 0 (ok) was instead returning code: 18 (self signed certificate).
Then on the UF i attempted to monitor a random log file that i update. On the main Splunk server i can see the data come in.
I'm just second guessing if i did things correctly given i wasn't able to validate internal Splunk logs.


 sslRootCAPath = /opt/splunkforwarder/etc/auth/myCerts/myCACertificate.pem
 sslPassword = <with pass here>
defaultGroup = group1
 server =
 disabled = 0
 clientCert = /opt/splunkforwarder/etc/auth/myCerts/myNewSplunkForwarderCert.pem
useClientSSLCompression = true
sslPassword = <with pass here>


disabled = 0
serverCert = /opt/splunk/etc/auth/myCerts/myNewSplunkIndexerCert.pem
sslPassword = <with pass here>
requireClientCert = "true"
 sslRootCAPath = /opt/splunk/etc/auth/myCerts/myCACertificate.pem
 sslPassword = <with pass here>
Labels (2)
Tags (2)
0 Karma