Hello,
I keep hearing flip-flop answers from people saying that if I upgrade Splunk Enterprise 7.0, then I won't be able to receive logs from Windows 2003 servers with a Splunk universal forwarder on it.
Is this true or not?
You can have forwarders from version 6.0.0 (so long as you're using the latest release from each set [6.1.13, for example]) send data to 7.x but you will need to enable TLS encryption with strong ciphers from your universal forwarders ( outputs.conf
) to your indexer(s) ( inputs.conf
).
Example outputs.conf
for the UF
[tcpout]
defaultGroup = ssl_indexers
[tcpout:ssl_indexers]
server = server1:9997, server2:9997, server3.9997
sslCertPath = $SPLUNK_HOME/etc/apps/forwarder_ssl_outputs/local/splunk-forwarder.pem
sslPassword = password
sslRootCAPath = $SPLUNK_HOME/etc/apps/forwarder_ssl_outputs/local/cacert.crt
Example inputs.conf
for the indexer(s)
[splunktcp-ssl:9997]
connection_host = none
[SSL]
password = $1$hashedCertPassword
rootCA = $SPLUNK_HOME/etc/auth/your_org/cacert.pem
serverCert = $SPLUNK_HOME/etc/auth/your_org/server1.9997.pem
sslVersions = tls1.2
cipherSuite = ECDH+AESGCM:DH+AESGCM:RSA+AESGCM:RECDH+AES256:ECDH+AES128:DH+AES256:DH+AES:SA+AES:!SSLv3:!eNULL:!aNULL:!MD5:!DSS:!3DES:!SHA:!RC4:!EXPORT:!PSK
I have 6.1.13 forwarders on Windows XP sending data to 7.1.5 indexers and communicated properly with the deployment server.
See https://wiki.splunk.com/images/f/fb/SplunkTrustApril-SSLipperySlopeRevisited.pdf for more information.
There is significant cross-version compatibility between forwarders and indexers, so upgrading your indexers will often be fine. See this compatibility matrix for the complete picture: https://docs.splunk.com/Documentation/Forwarder/7.2.3/Forwarder/Compatibilitybetweenforwardersandind...
It is true that you won't get new forwarder versions for your 2k3 boxes though.
With Splunk 7.0.0, Server 2008 R2 was announced as deprecated. So 2003 was probably longer ago.
https://docs.splunk.com/Documentation/Splunk/7.0.0/ReleaseNotes/Deprecatedfeatures
Skalli