We are running a Splunk cluster (version 8.1.2) and trying to secure the forwarding from the Universal Forwarders (also version 8.1.2) to the Heavy Forwarders in our cluster.
I've followed the documentation to accomplish this using custom certificates and we have succeeded to secure the traffic between the Universal Forwarders running on Linux and our Heavy Forwarders (also running on Linux). However, the Universal Forwarders on Windows fail to successfully sent their data.
Our configuration is as follows:
We have created a root CA that is shared by all Splunk nodes We have created a server certificate signed by the root CA that is shared by the Heavy Forwarders We have created a certificate signed by the root CA that is shared by the Universal Forwarders
The Universal Forwarders contain an app with a outputs.conf with the following content
I have also tried to specify the path to the root CA in the server.conf but this did not help either.
Finally, I have tried to install the Universal Forwarder using the graphical user interface and to specify the certificates in the installation wizard. The strange thing is that the certificate options do not show up in any of the configuration files after the installation is complete and forwarding also does not work.
Has anyone successfully configured forwarding over SSL/TLS from a Windows host or is this only supported on Linux hosts?