I've run into this myself... if a Splunk instance starts, and there is no SSL configuration anywhere, Splunk creates its own in etc/system/local. Which can't be overridden. I could conjure up something creative on the Linux forwarders... but Windows, yeah, right... not gonna happen. For the forwarders that I control, this is easy to fix. But for the forwarders I don't control, I'm just a few mouse clicks away from doom when I'm making changes in Forwarder Management. If I accidentally pull the 8089 certs, I have to go get many, many people to touch every single forwarder to manually fix it. Maybe we shouldn't distribute SSL certs for 8089 via deployment server. But without any other options, at least in my enterprise, I don't see any alternatives.
... View more