Ok. You have two ends of the connection, don't try to fiddle with both of them at the same time. First, configure the receiving end (in your case - the indexer), when you have it working properly, s...
See more...
Ok. You have two ends of the connection, don't try to fiddle with both of them at the same time. First, configure the receiving end (in your case - the indexer), when you have it working properly, start configuring the client (the UF). Your inputs.conf on the indexer looks OK. You should now be able to connect with openssl s_client -connect your_indexer:9997 and get a properly negotiated SSL connection (as long as your client trusts your indexer's cert issuer). If you're at this step, you can move forward. If at this step the connection is rejected by the indexer because you're not presenting a cert, there's something wrong with your indexer's configuration. If you have sslVerifyServerCert=false, you should not need any other parameters except useSSL=true because your UF will not be verifying the cert anyway. Remember to always check your configs with btool splunk btool check and splunk btool inputs list --debug splunk btool outputs list --debug