Indexer/forwarder SSL communication / sslVerifySer...

splunkreal · ‎09-09-2016

Hello, is it possible that Splunkforwarder still works if the cacert.pem on the indexer is expired and from different certificate authority? We have sslVerifyServerCert = false set on the fwd.

Thanks.

* If this helps, please upvote or accept solution 🙂 *

anand_singh17 · ‎05-25-2017

it is additional step for authenticating your splunk indexers. For example- If it FALSE, setup an indexer, add and define common certificate and configure to forward the event, it will start ingesting. In this case, certificates, verify, whether it is forwarding events/logs to correct indexers only, but based on certificates

You need to have two more configs need to be added in case, you want it to work,

output.conf, (splunk forwarder - DS client)
sslCommonNameToCheck= server.common.name.com.fqdn

between server to server
sslCommonNameList = splunk.servers.names.with.comma.for.all.making.communication, server1.com, server2.com

Always configure these config in last, as any communication break, can be rolled back, as this would be only check.

jkat54 · ‎09-09-2016

Yeah that should be fine as far as I know.

Indexer/forwarder SSL communication / sslVerifyServerCert question

Introducing the Splunk Community Dashboard Challenge!

Wondering How to Build Resiliency in the Cloud?

Updated Data Management and AWS GDI Inventory in Splunk Observability