Hi, I'm experiencing problems when configuring SSL forwarder from CLI.
My questions are:
Is it enough to move outputs.conf to /etc/system/local and restart splunk to enable forwarder?
If it is enough why am i getting following output from list forwarder-server:
Active Splunk-2-Splunk Forwards: None
Configured but inactive Splunk-2-Splunk Forwards: None
If I move outputs.conf to system/local and then try to add it forwarder like following:
"C:\Program Files\Splunk\bin\splunk" enable app SplunkLightForwarder -auth admin:changeme
"C:\Program Files\Splunk\bin\splunk" add forward-server server.com:9996 -auth admin:changeme
I get:
In handler 'tcpout-server': server.com:9996 forwarded-server already present
But the list forward-server still returns no forwarders?
I have also tried several combinations but with no success. What is the right sequence of commands to add SSL forwarder server and get some info that it is forwarding?
After some experimenting I came up with this:
Enable Forwarder app: splunk enable app SplunkLightForwarder
Restart splunk: splunk restart
Add forwarder from cli: splunk add forward-server IP_ADRESA:PORT
Restart splunk: splunk restart
Copy SSL configuration to outputs.conf:
[tcpout-server://IP_ADRESA:PORT]
compressed = false
indexAndForward = false
sslCertPath = $SPLUNK_HOME/etc/auth/server.pem
sslPassword = password
sslRootCAPath = $SPLUNK_HOME/etc/auth/cacert.pem
sslVerifyServerCert = false
Restart Splunk: splunk restart
See if forwarder is active: splunk list forward-server
Check on indexer if you have Cooked SSL: index=_internal tcpin 9996 cookedssl
After some experimenting I came up with this:
Enable Forwarder app: splunk enable app SplunkLightForwarder
Restart splunk: splunk restart
Add forwarder from cli: splunk add forward-server IP_ADRESA:PORT
Restart splunk: splunk restart
Copy SSL configuration to outputs.conf:
[tcpout-server://IP_ADRESA:PORT]
compressed = false
indexAndForward = false
sslCertPath = $SPLUNK_HOME/etc/auth/server.pem
sslPassword = password
sslRootCAPath = $SPLUNK_HOME/etc/auth/cacert.pem
sslVerifyServerCert = false
Restart Splunk: splunk restart
See if forwarder is active: splunk list forward-server
Check on indexer if you have Cooked SSL: index=_internal tcpin 9996 cookedssl
Also if I add forwarder from web, and specify SSL configuration for that forwarder in outputs.conf I get:
Active Splunk-2-Splunk Forwards:
None
Configured but inactive Splunk-2-Splunk Forwards:
splunk.splunk:9996