Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to configure forwarding with SSL using load balancing?

fairje
Communicator
‎11-10-2015 11:52 AM

So I have a group of servers that I am load balancing across and I am trying to figure out how to set the "sslCommonNameToCheck" variable when handling multiple servers. This does not look like it allows a comma separated list.

I want it to look something like this:

[tcpout]
defaultGroup = myIndexers

[tcpout:myIndexers]
maxQueueSize = 128MB
useACK = true
autoLB = true
server = splunk-idx01.myorg.com:9998, splunk-idx02.myorg.com:9998
sslCertPath = $SPLUNK_HOME/etc/auth/myOrg/splunk-forwarder.pem
sslPassword = <REDACTED>
sslRootCAPath = $SPLUNK_HOME/etc/auth/myOrg/cacert.crt
sslVerifyServerCert = true
sslCommonNameToCheck = splunk-idx01.myorg.com, splunk-idx02.myorg.com

But like I said, I do not believe this takes a comma separated value.

I tried something I found in the "bonus/deleted" slides from the 2015 .conf presentation by Defense Point Security on SSL Best Practices:
http://conf.splunk.com/session/2015/conf2015_DWaddle_DefensePointSecurity_deploying_SplunkSSLBestPra...

in which they do the same as above except break out each server with stanzas as follows:

[splunk-idx01.myorg.com]
sslVerifyServerCert = true
sslCommonNameToCheck = splunk-idx01.myorg.com
[splunk-idx02.myorg.com]
sslVerifyServerCert = true
sslCommonNameToCheck = splunk-idx02.myorg.com

I tried this, and it doesn't work as that is not the right syntax on stanzas. Anyone setup SSL with Load Balancing?

0 Karma
Reply

s2_splunk
Splunk Employee
Splunk Employee
‎11-10-2015 01:18 PM

Did you read up on the docs here?
It appears you are missing *tcpout-server:// * in your individual server stanzas.

0 Karma
Reply

fairje
Communicator
‎11-10-2015 01:33 PM

Had read all through it, and I think it was throwing me off since I was afraid that the "tcpout-server://" setting would maybe somehow keep it from load balancing correctly. by instead duplicating all the data equally to the servers. I will give this a go and see if that works.

I am just not sure the best way to validate that it is load balancing and not sending the data out to all of my indexers at the same time (e.g. instead of it logging something once, I would guess to find my data copied 4 times over on my 4 indexers.)

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Monitoring AI Agents with Splunk Observability Cloud

Let’s say I’m running a travel planning AI app in production. A user asks for three concise hotel options in ...

[Puzzles] Solve, Learn, Repeat: Tiling

This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...