Hi, I've got a setup where my universal forwarder clients are going to submit logs to a Splunk index instance going through a L4 load balancer. I'd like the communication between the universal forwarders and the balancer to be encrypted. My setup would be something like: UF > TLS LB > TCP input on the Splunk index How can I enable the outputs on the UF side to be sent over TLS1.2 without the client certificate validation phase? I did use a setting like useSSL = true on my forwarder. According to this snippet of the outputs.conf configuration page (https://docs.splunk.com/Documentation/Splunk/8.0.5/Admin/Outputsconf) it should enable just the encrypted outgoing stream without requiring a client certificate (as in "legacy" mode): ----Secure Sockets Layer (SSL) Settings----
To set up SSL on the forwarder, set the following setting/value pairs.
If you want to use SSL for authentication, add a stanza for each receiver
that must be certified.
useSSL = <true|false|legacy>
* Whether or not the forwarder uses SSL to connect to the receiver, or relies
on the 'clientCert' setting to be active for SSL connections.
* You do not need to set 'clientCert' if 'requireClientCert' is set to
"false" on the receiver.
* If set to "true", then the forwarder uses SSL to connect to the receiver.
* If set to "false", then the forwarder does not use SSL to connect to the
receiver.
* If set to "legacy", then the forwarder uses the 'clientCert' property to
determine whether or not to use SSL to connect.
* Default: legacy As universal forwarder client I'm using the latest Docker image provided by splunk and I push an outputs.conf to it using the deployment service. The outputs.conf look like: [tcpout] defaultGroup=tcpin [tcpout:tcpin] useSSL = true sslVersions = tls1.2 useClientSSLCompression = true server=my_lb_dns_name:9997 From the container I'm able to reach the LB with the following command: sudo -u splunk LD_LIBRARY_PATH=./lib ./bin/openssl s_client -connect my_lb_dns_name:9997 But in the splunkd.log I see warings like: WARN TcpOutputProc - Cooked connection to ip=10.235.106.194:9997 timed out Can someone helm figure out what I'm missing? Thanks, Giuseppe
... View more