I have a RHEL5 instance running Universal Forwarder 7.0.3, currently sending logs to Splunk Enterprise. We are in the process of migration to Splunk Cloud. Splunk Cloud doesn't accept <TLS 1.2 and I can't use HEC from the host because the TLS version is 1.0.
As part of the solution, I came up with using an intermediate forwarder - this can forward the logs however, what I am getting is all hex characters.
Something like this:
\x00\x8F\x00\x00\x8Bo\xF5\x86\x84h\xFCt5\xCB4T^\x9B\xBC\xE3c\xE6i\xD3\xA5\xCE/\x00\x00 \xC0,\xC00\xC0+\xC0/\xC0$\xC0(\xC0#\xC0'\x00\x9D\x00\x9C\x00<\xC0.\xC0-\xC0&\xC0%\x00\xFF\x00\x00A\x00\x00\x00\x00
At some point, I also saw "--splunk-cooked-mode-v3--" in the logs.
The inputs file of the for the intermediate forwarder is this:
[splunktcp://<Source IP>:<Port>]
index = <my index>
disabled = false
The output is just the standard HEC.
The version of the universal forwarder that I am using is 9.0.3
The universal forwarder version of the source cannot be updated to the latest one or any more than that since it is RHEL5.
How should I be able to see clean data and not hex ones?