Indexer/forwarder SSL communication / sslVerifySer...

splunkreal · ‎09-09-2016

Hello, is it possible that Splunkforwarder still works if the cacert.pem on the indexer is expired and from different certificate authority? We have sslVerifyServerCert = false set on the fwd.

Thanks.

* If this helps, please upvote or accept solution if it solved *

anand_singh17 · ‎05-25-2017

it is additional step for authenticating your splunk indexers. For example- If it FALSE, setup an indexer, add and define common certificate and configure to forward the event, it will start ingesting. In this case, certificates, verify, whether it is forwarding events/logs to correct indexers only, but based on certificates

You need to have two more configs need to be added in case, you want it to work,

output.conf, (splunk forwarder - DS client)
sslCommonNameToCheck= server.common.name.com.fqdn

between server to server
sslCommonNameList = splunk.servers.names.with.comma.for.all.making.communication, server1.com, server2.com

Always configure these config in last, as any communication break, can be rolled back, as this would be only check.

jkat54 · ‎09-09-2016

Yeah that should be fine as far as I know.

Indexer/forwarder SSL communication / sslVerifyServerCert question

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation