Thank you Micheal 1. Indexers listen on the same port for each server. If all indexers are on SSL, then 9997 for each (or whatever port you like, but 9997 is convention) I have only 1 Indexer- I have other 3 HF in other Clouds which it will connect to. Both Indexer and HF will need SSL for secured data flow. So question is 1 indexer with SSL on 9997 = connecting to 3 HF with SSL on 9997. Is this possible ? Or do we need to connect each 3 HF with SSL to 9997,9998,9999 ports of Indexer with SSL. 2. Each HF forwards data to the indexer. That's where you require SSL if I'm understanding your design. The UFs forward to the HF which then send to IDX? yes correct each UFs forward to HF. 3. UFs to HF is allowed to be SSL if your requirements specify it. Else, that could be encrypted, and then the SSL out to your IDX is encrypted. UF and HF are in the same environment. But the question is that HF has SSL and connecting to Indexer to a different environment. Since HF is having SSL is it required that all the UFs in the same environment.? is my question Now, you asked if HF is required to use SSL to send to the IDX? Splunk doesn't mandate it, that is dependent upon your customer's needs. Do you need SSL? If not, don't do it. If you need it, then turn on SSL. Always take it back to the customer's requirements.
... View more