Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

If I upgrade to Splunk Enterprise 7.0, can I recieve logs from a Windows 2003 server with a Universal Forwarder on it?

luongg
Explorer
‎01-07-2019 08:44 AM

Hello,

I keep hearing flip-flop answers from people saying that if I upgrade Splunk Enterprise 7.0, then I won't be able to receive logs from Windows 2003 servers with a Splunk universal forwarder on it.

Is this true or not?

Reply

Yorokobi
SplunkTrust
SplunkTrust
‎01-09-2019 02:27 PM

You can have forwarders from version 6.0.0 (so long as you're using the latest release from each set [6.1.13, for example]) send data to 7.x but you will need to enable TLS encryption with strong ciphers from your universal forwarders ( outputs.conf) to your indexer(s) ( inputs.conf).

Example outputs.conf for the UF

[tcpout]
defaultGroup = ssl_indexers

[tcpout:ssl_indexers]
server = server1:9997, server2:9997, server3.9997                                                             
sslCertPath = $SPLUNK_HOME/etc/apps/forwarder_ssl_outputs/local/splunk-forwarder.pem                                                             
sslPassword = password
sslRootCAPath = $SPLUNK_HOME/etc/apps/forwarder_ssl_outputs/local/cacert.crt

Example inputs.conf for the indexer(s)

[splunktcp-ssl:9997]
connection_host = none

[SSL]
password = $1$hashedCertPassword
rootCA = $SPLUNK_HOME/etc/auth/your_org/cacert.pem
serverCert = $SPLUNK_HOME/etc/auth/your_org/server1.9997.pem
sslVersions = tls1.2
cipherSuite = ECDH+AESGCM:DH+AESGCM:RSA+AESGCM:RECDH+AES256:ECDH+AES128:DH+AES256:DH+AES:SA+AES:!SSLv3:!eNULL:!aNULL:!MD5:!DSS:!3DES:!SHA:!RC4:!EXPORT:!PSK

I have 6.1.13 forwarders on Windows XP sending data to 7.1.5 indexers and communicated properly with the deployment server.

See https://wiki.splunk.com/images/f/fb/SplunkTrustApril-SSLipperySlopeRevisited.pdf for more information.

Reply

martin_mueller
SplunkTrust
SplunkTrust
‎01-08-2019 04:29 PM

There is significant cross-version compatibility between forwarders and indexers, so upgrading your indexers will often be fine. See this compatibility matrix for the complete picture: https://docs.splunk.com/Documentation/Forwarder/7.2.3/Forwarder/Compatibilitybetweenforwardersandind...

It is true that you won't get new forwarder versions for your 2k3 boxes though.

0 Karma
Reply

skalliger
Motivator
‎01-08-2019 06:13 AM

With Splunk 7.0.0, Server 2008 R2 was announced as deprecated. So 2003 was probably longer ago.
https://docs.splunk.com/Documentation/Splunk/7.0.0/ReleaseNotes/Deprecatedfeatures

Skalli

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

A Guide To Cloud Migration Success

As enterprises’ rapid expansion to the cloud continues, IT leaders are continuously looking for ways to focus ...