This is a new Splunk deployment using a single instance to serve as Indexer, Search Head, and Deployment Server. We used certificates signed by our internal CA to configure SSL data forwarding, however, I am not seeing any of the expected Windows logs being forwarded to the Indexer. Looking at the splunkd log on the Indexer, it returns the error, "Socket error from FORWARDER while idling: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown" I tried to diagnose using btool, but I'm not sure what I'm looking for.
... View more