Hi Guys,
We have the following environment set up : 2 x indexer and 1 x forwarder with 1 Master Node + Search Head.
We have configured to use indexer discovery and got it to work whereby the Forwarder are able to pass the logs over to the Indexer.
However, when we turn on the SSL, the logs are not forwarding over to the indexer anymore.
From the forwarder error logs, I saw the following error => "02-15-2019 09:09:35.768 +0000 ERROR TcpOutputProc - target=Indexer:9997 ssl=0 mismatch with ssl config in outputs.conf for server, skipping..."
Can advice what is wrong here?
try using btool to verify the configuration files
Hi ashajambagi,
Thanks for the suggestion. Finally found the error using btool due to conflicting configuration for SSL port 9997.
Somehow beside inputs.conf there's another one config residing under launcher also configure to use port 997 which is non SSL causing the issue i encountered.
Glad the suggestion helped resolve your error!
Hello @christay
Did you mentioned ssl details in inputs.conf and outputs.conf as mentioned in the below link:
Configure indexer discovery with SSL
https://docs.splunk.com/Documentation/Splunk/7.2.4/Indexer/indexerdiscovery
Hi Vishal,
I have configure based on the documents i got from splunk running ver 7.2.0.
input.config in one of my index server as follow :
[default]
host = SPLUNK01
[splunktcp-ssl:9997]
disabled = 0
[SSL]
serverCert = /opt/splunk/etc/system/local/certs/myIndexer.pem
sslPassword =  hashxx
requireClientCert = false
output.config under my forwarder as follow :
[indexer_discovery:AWSINDEX]
pass4SymmKey = hashxxxx
master_uri = https://1.1.1.1:8089
[tcpout:splunkaws]
indexerDiscovery = AWSINDEX
useACK = true
autoLBFrequency = 30
forceTimebasedAutoLB = true
clientCert = /opt/splunkforwarder/etc/system/local/certs/myForwarder.pem
sslPassword = hashxxxx
[tcpout]
defaultGroup = splunkaws
@christay,
Can you please try to move the cert under /opt/splunk/etc/auth/certs directory and try.
Hi Vishal,
I have tested by moving my certs to :
/opt/splunk/etc/auth/certs  for my indexer
and 
/opt/splunkforwarder/etc/auth/certs  for my forwarder
Still the same error reported above.
did you mention sslRootCAPath path in server.conf in indexer server.conf?
Yup i did as per the documentation in ver 7.2.0. 
Which is why i can't figure out which part has i gone wrong.....
