Are you recommending enableOldS2SProtocol=true? Are you implementing enableOldS2SProtocol=true? If yes, read below. Splunk has dropped support for oldest S2S version. However added enableOldS2SProtocol config to allow forwarder use oldest protocol. With enableOldS2SProtocol=true, forwarder is allowed to use oldest protocol (protocol level 0). First ever protocol. You are essentially using almost 20 years old protocol. With enableOldS2SProtocol=false, forwarder is allowed to use minimum protocol level 1 with negotiateProtocolLevel config. If negotiateProtocolLevel is not set( by default not set), then forwarder and receiver will be negotiating latest common protocol supported by forwarder and receiver. If you are on Splunk 9.2.x receiver and forwarder is 9.0.x and above, then protocol 6 is being used. When protocol negotiation happens between fwd and receiver, if the receiver says protocol 0, fwd does not accept that and still use minimum supported protocol 1 unless enableOldS2SProtocol=true is set on fwd. Suggesting enableOldS2SProtocol=true on fwd means receiver is only capable of protocol 0 and forcing fwd to use protocol 0. Suggesting enableOldS2SProtocol=true and negotiateProtocolLevel=0 on fwd means fwd is forced to use protocol 0 regardless of receiver's protocol level. Protocol levels. 0: Maximum network traffic over S2S connection. 1: Network traffic optimization over S2S connection. 2: Additional network traffic optimization over S2S connection. 3: Metric support. 4: Ack support for rawless metric events. 5: Flag potential dup events. 6: Flag for cloned metric events so that cloned events exempted from license usage. 7: SSL certificate requests Make an informed decision.
... View more
