Forwarder 6.x Compatibility with Splunk 8.0 Featured Image

Forwarder 6.x Compatibility with Splunk 8.0

By: Forrest Lybarger | Splunk Consultant

 

If you are looking into upgrading Splunk to 8.0, you have probably come across the compatibility matrix for forwarders:

Source: https://docs.splunk.com/Documentation/VersionCompatibility/current/Matrix/Compatibilitybetweenforwardersandindexers

 

This table means that Splunk does not support, nor has it tested, the use of 6.x forwarders with 8.0 indexers. It doesn’t mean that it is impossible for them to work together. In other words, you can use 6.x forwarders at your own risk. Any problems you have with these forwarders, however, will almost always be caused by the version difference and most likely fixed by upgrading.

With all the caveats out of the way, how do you get this working? Well, it depends on what exact version your forwarders have. Here are the affected versions:

  • 6.0.0 to 6.0.6
  • 6.1.0 to 6.1.4
  • 6.2.0 to 6.2.6
  • 6.3.0 to 6.3.1
  • 6.3.1511.1

The issue is that some older 6.x versions of Splunk use a different SSL protocol from 6.6.x and later versions, which makes them unable to connect via the management port (usually port 8089) and unable to communicate with the deployment server. To correct this, you need to force the newer Splunk components to use an SSL version that the older components can understand. In this case, your forwarders are the only components not upgrading to 8.0, so you only need to fix the deployment server. To avoid issues with these forwarder versions add an app with a server.conf containing this stanza to your deployment server:

[sslConfig]

sslVersions = *,-ssl2

sslVersionsForClient = *,-ssl2

cipherSuite = TLSv1+HIGH:TLSv1.2+HIGH:@STRENGTH

Allow any sslConfigs apps your environment already has to override this app by giving it a lower priority name or just add the lines from the stanza that aren’t present in your current app. You can delete this new ssl config after your forwarders are upgraded.

This fix should only be used if you must upgrade to 8.0 and can’t wait for your forwarders to upgrade. Keep in mind that this is not Splunk supported, so for now it could work (latest version as of writing this is 8.0.6), but in the future, Splunk could break this workaround. When you do implement this fix, make sure to prioritize upgrading your forwarders and understand that any problems involving data ingestion or forwarding are most likely caused by not upgrading your forwarders to at least 7.0 (latest version possible is recommended).

Want to learn more about forwarder 6.x compatibility with Splunk 8.0? Contact us today!