We are running Splunk V3, but are spinning up a new Splunk V4 server, which we will migrate to. We will likely only migrate some saved searches and reports, not existing log data.
I'm configuring SSL for encryption only (at this point), between a forwarder and the receiver. I have been following the docs, but would like some help.
Do customers typically configure SSL using certificates they have created, or using the certificate which Splunk generates at install (E.G. /opt/splunk/etc/auth/server.pem)? IF we use a certificate which we create, do we need to self-sign that certificate, and tell the Splunk receiver and the forwarder about that CA?
I wasn't sure what the password was for the Splunk generated cert, so I created my own cert. I am currently getting this error on the receiver:
Here are my current configuration changes...
On the receiver, /opt/splunk/etc/system/local/inputs.conf:
ON the forwarder, /opt/splunk/etc/system/local/outputs.conf:
Most people use the Splunk ones, which is plenty to stop casual eavesdropping, though of course a hardworking and informed snooper can get hold of the Splunk CA (since it comes with every download of Splunk) and try to use that to decrypt captured traffic.
If you have your own certificate, you need the cert with its corresponding private key embedded (same as for a web server), plus you need to have the signing CA public cert.
The following configuration works with the default Splunk certs. The passwords for the generated server certificate private key (
To be honest, I don't see why the Forwarder needs to have
If using your own certificate, you would replace
answered 10 Feb '10, 20:34