Hi,

I am not able to configure the ssl connections between the forwarder and indexer. The splunkd logs on both the indexer and forwarder are not the same as cited in the documentation.

Here is what I get on Indexer in splunkd.log:

Date Time +1100 INFO TcpInputConfig - IPv4 port 9997 is reserved for splunk 2 splunk

Date Time +1100 INFO TcpInputConfig - IPv4 port 9997 is not compressed

Date Time +1100 INFO TcpInputConfig - IPv4 port 9997 is reserved for splunk 2 splunk (SSL)

Date Time +1100 INFO TcpInputConfig - IPv4 port 9997 is compressed

Date Time +1100 INFO TcpInputProc - Registering metrics callback for: tcpin_connections

After this, I do not get any other message as mentioned in the documentation.

On Forwarder, I get the following in splunkd.log:

Date Time +1100 INFO TcpOutputProc - found Whitelist forwardedindex.0.whitelist , RE : forwardedindex.0.whitelist

Date Time +1100 INFO TcpOutputProc - found Blacklist forwardedindex.1.blacklist , RE : forwardedindex.1.blacklist

Date Time +1100 INFO TcpOutputProc - found Whitelist forwardedindex.2.whitelist , RE : forwardedindex.2.whitelist

Date Time +1100 INFO TcpOutputProc - tcpout group splunkssl using Auto load balanced forwarding

Date Time +1100 INFO TcpOutputProc - Group splunkssl initialized with maxQueueSize=512000 in bytes.

Date Time +1100 WARN TcpOutputProc - Connected to idx=:9997. Not using ACK.

Date Time +1100 WARN TcpOutputProc - Connected to idx=:9997. Not using ACK.

Date Time +1100 INFO TcpOutputProc - Connection to :9997 closed. Connection closed

For enabling SSL connection between a forwarder and an indexer, I performed the following configurations:

On Indexer(Windows)
I added the following stanzas in $SPLUNK_HOME\etc\system\local\inputs.conf

[splunktcp-ssl:9997]
compressed = true

[SSL]
rootCA = $SPLUNK_HOME\etc\auth\cacert.pem
serverCert = $SPLUNK_HOME\etc\auth\server.pem
password = password

On Forwarder(Windows)
I added the following stanzas in $SPLUNK_HOME\etc\system\local\outputs.conf

[tcpout]
defaultGroup = splunkssl

[tcpout:splunkssl]
compressed = true
server = :9997
sslCertPath = $SPLUNK_HOME\etc\auth\server.pem
sslPassword = password
sslRootCAPath = $SPLUNK_HOME\etc\auth\cacert.pem
sslVerifyServerCert = false

I checked if there were 2 inputs.conf stanzas using port 9997. There were no 2 stanzas using port 9997 but I still changed the port to 9996 for ssl connection.

Despite changing the port, I don't get the output in splunkd.log as mentioned in the splunk documentation.

However, when I checked the metrics.log file on Indexer, I get "ssl=true". Does this mean that ssl is enabled, even though the splunkd logs are not as desired?

Please help.