Splunk Cloud Platform

Sending logs from Universal Forwarder 7.0.3 to Splunk Cloud

jmr44
Explorer

I have a RHEL5 instance running  Universal Forwarder 7.0.3, currently sending logs to Splunk Enterprise. We are in the process of migration to Splunk Cloud. Splunk Cloud doesn't accept <TLS 1.2 and I can't use HEC from the host because the TLS version is 1.0. 
As part of the solution, I came up with using an intermediate forwarder - this can forward the logs however, what I am getting is all hex characters. 
Something like this:
\x00\x8F\x00\x00\x8Bo\xF5\x86\x84h\xFCt5\xCB4T^\x9B\xBC\xE3c\xE6i\xD3\xA5\xCE/\x00\x00 \xC0,\xC00\xC0+\xC0/\xC0$\xC0(\xC0#\xC0'\x00\x9D\x00\x9C\x00<\xC0.\xC0-\xC0&\xC0%\x00\xFF\x00\x00A\x00 \x00\x00\x00

At some point, I also saw "--splunk-cooked-mode-v3--" in the logs. 

The inputs file of the for the intermediate forwarder is this:

[splunktcp://<Source IP>:<Port>]
index = <my index>
disabled = false

The output is just the standard HEC. 

The version of the universal forwarder that I am using is 9.0.3

The universal forwarder version of the source cannot be updated to the latest one or any more than that since it is RHEL5. 

How should I be able to see clean data and not hex ones? 

0 Karma
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...