SSL Config Below

christay · ‎02-16-2019

Hi Guys,

We have the following environment set up : 2 x indexer and 1 x forwarder with 1 Master Node + Search Head.

We have configured to use indexer discovery and got it to work whereby the Forwarder are able to pass the logs over to the Indexer.

However, when we turn on the SSL, the logs are not forwarding over to the indexer anymore.

From the forwarder error logs, I saw the following error => "02-15-2019 09:09:35.768 +0000 ERROR TcpOutputProc - target=Indexer:9997 ssl=0 mismatch with ssl config in outputs.conf for server, skipping..."

Can advice what is wrong here?

ashajambagi · ‎02-19-2019

try using btool to verify the configuration files

View solution in original post

ashajambagi · ‎02-19-2019

try using btool to verify the configuration files

christay · ‎02-21-2019

Hi ashajambagi,

Thanks for the suggestion. Finally found the error using btool due to conflicting configuration for SSL port 9997.

Somehow beside inputs.conf there's another one config residing under launcher also configure to use port 997 which is non SSL causing the issue i encountered.

ashajambagi · ‎02-21-2019

Glad the suggestion helped resolve your error!

vishaltaneja070 · ‎02-17-2019

Hello @christay

Did you mentioned ssl details in inputs.conf and outputs.conf as mentioned in the below link:

Configure indexer discovery with SSL

https://docs.splunk.com/Documentation/Splunk/7.2.4/Indexer/indexerdiscovery

christay · ‎02-18-2019

Hi Vishal,

I have configure based on the documents i got from splunk running ver 7.2.0.

input.config in one of my index server as follow :

[default]
host = SPLUNK01
[splunktcp-ssl:9997]
disabled = 0
[SSL]
serverCert = /opt/splunk/etc/system/local/certs/myIndexer.pem
sslPassword = hashxx
requireClientCert = false

output.config under my forwarder as follow :

[indexer_discovery:AWSINDEX]
pass4SymmKey = hashxxxx
master_uri = https://1.1.1.1:8089

[tcpout:splunkaws]
indexerDiscovery = AWSINDEX
useACK = true
autoLBFrequency = 30
forceTimebasedAutoLB = true

SSL Config Below

clientCert = /opt/splunkforwarder/etc/system/local/certs/myForwarder.pem
sslPassword = hashxxxx

[tcpout]
defaultGroup = splunkaws

vishaltaneja070 · ‎02-18-2019

@christay,

Can you please try to move the cert under /opt/splunk/etc/auth/certs directory and try.

christay · ‎02-18-2019

Hi Vishal,

I have tested by moving my certs to :

/opt/splunk/etc/auth/certs for my indexer

and
/opt/splunkforwarder/etc/auth/certs for my forwarder

Still the same error reported above.

vishaltaneja070 · ‎02-19-2019

did you mention sslRootCAPath path in server.conf in indexer server.conf?

christay · ‎02-19-2019

Yup i did as per the documentation in ver 7.2.0.
Which is why i can't figure out which part has i gone wrong.....

Splunk not working after turning on SSL for forwarder and indexer communication

SSL Config Below

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Join the Conversation

Splunk not working after turning on SSL for forwarder and indexer communication

SSL Config Below

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability