diff --git a/content/en/observability_pipelines/sources/amazon_data_firehose.md b/content/en/observability_pipelines/sources/amazon_data_firehose.md
index 6e3bd5064ca..6f467075a24 100644
--- a/content/en/observability_pipelines/sources/amazon_data_firehose.md
+++ b/content/en/observability_pipelines/sources/amazon_data_firehose.md
@@ -13,13 +13,27 @@ Use Observability Pipelines' Amazon Data Firehose source to receive logs from Am
 
 Select and set up this source when you [set up a pipeline][1]. The information below is for the source settings in the pipeline UI.
 
-1. Optionally, select an AWS authentication option. If you select **Assume role**:
-    1. Enter the ARN of the IAM role you want to assume.
-    1. Optionally, enter the assumed role session name and external ID.
-1. Optionally, toggle the switch to enable TLS. If you enable TLS, the following certificate and key files are required.<br>**Note**: All file paths are made relative to the configuration data directory, which is `/var/lib/observability-pipelines-worker/config/` by default. See [Advanced Worker Configurations][2] for more information. The file must be owned by the `observability-pipelines-worker group` and `observability-pipelines-worker` user, or at least readable by the group or user.
-    - `Server Certificate Path`: The path to the certificate file that has been signed by your Certificate Authority (CA) Root File in DER or PEM (X.509).
-    - `CA Certificate Path`: The path to the certificate file that is your Certificate Authority (CA) Root File in DER or PEM (X.509).
-    - `Private Key Path`: The path to the `.key` private key file that belongs to your Server Certificate Path in DER or PEM (PKCS#8) format.
+- Enter the identifier for your Amazon Data Firehose address.
+    - **Note**: Only enter the identifier for the address. Do **not** enter the actual address.
+    - If left blank, the default is used: `SOURCE_AWS_DATA_FIREHOSE_ADDRESS`.
+
+### Optional settings
+
+#### AWS authentication
+
+Select an **AWS authentication** option. If you select **Assume role**:
+1. Enter the ARN of the IAM role you want to assume.
+1. Optionally, enter the assumed role session name and external ID.
+
+#### Enable TLS
+
+Toggle the switch to **Enable TLS**. If you enable TLS, the following certificate and key files are required.<br>**Note**: All file paths are made relative to the configuration data directory, which is `/var/lib/observability-pipelines-worker/config/` by default. See [Advanced Worker Configurations][2] for more information. The file must be owned by the `observability-pipelines-worker group` and `observability-pipelines-worker` user, or at least readable by the group or user.
+- Enter the identifier for your Amazon Data Firehose key pass.
+    - **Note**: Only enter the identifier for the key pass. Do **not** enter the actual key pass.
+    - If left blank, the default is used: `SOURCE_AWS_DATA_FIREHOSE_KEY_PASS`.
+- `Server Certificate Path`: The path to the certificate file that has been signed by your Certificate Authority (CA) root file in DER or PEM (X.509).
+- `CA Certificate Path`: The path to the certificate file that is your Certificate Authority (CA) Root File in DER or PEM (X.509).
+- `Private Key Path`: The path to the `.key` private key file that belongs to your Server Certificate Path in DER or PEM (PKCS#8) format.
 
 ## Set the environment variables
 
diff --git a/content/en/observability_pipelines/sources/amazon_s3.md b/content/en/observability_pipelines/sources/amazon_s3.md
index a225c7505cb..8f65a864643 100644
--- a/content/en/observability_pipelines/sources/amazon_s3.md
+++ b/content/en/observability_pipelines/sources/amazon_s3.md
@@ -13,14 +13,28 @@ Use Observability Pipelines' Amazon S3 source to receive logs from Amazon S3. Se
 
 Select and set up this source when you [set up a pipeline][1]. The information below is for the source settings in the pipeline UI.
 
+1. Enter the identifier for your Amazon S3 URL.
+    - **Note**: Only enter the identifier for the URL. Do **not** enter the actual URL.
+    - If left blank, the default is used: `SOURCE_AWS_S3_SQS_URL`.
 1. Enter the AWS region.
-1. Optionally, select an AWS authentication option. If you select **Assume role**:
-    1. Enter the ARN of the IAM role you want to assume.
-    1. Optionally, enter the assumed role session name and external ID.
-1. Optionally, toggle the switch to enable TLS. If you enable TLS, the following certificate and key files are required.<br>**Note**: All file paths are made relative to the configuration data directory, which is `/var/lib/observability-pipelines-worker/config/` by default. See [Advanced Worker Configurations][2] for more information. The file must be owned by the `observability-pipelines-worker group` and `observability-pipelines-worker` user, or at least readable by the group or user.
-    - `Server Certificate Path`: The path to the certificate file that has been signed by your Certificate Authority (CA) Root File in DER or PEM (X.509).
-    - `CA Certificate Path`: The path to the certificate file that is your Certificate Authority (CA) Root File in DER or PEM (X.509).
-    - `Private Key Path`: The path to the `.key` private key file that belongs to your Server Certificate Path in DER or PEM (PKCS#8) format.
+
+### Optional settings
+
+#### AWS authentication
+
+Select an **AWS authentication** option. If you select **Assume role**:
+1. Enter the ARN of the IAM role you want to assume.
+1. Optionally, enter the assumed role session name and external ID.
+
+#### Enable TLS
+
+Toggle the switch to **Enable TLS**. If you enable TLS, the following certificate and key files are required.<br>**Note**: All file paths are made relative to the configuration data directory, which is `/var/lib/observability-pipelines-worker/config/` by default. See [Advanced Worker Configurations][2] for more information. The file must be owned by the `observability-pipelines-worker group` and `observability-pipelines-worker` user, or at least readable by the group or user.
+- Enter the identifier for your Amazon S3 key pass.
+    - **Note**: Only enter the identifier for the key pass. Do **not** enter the actual key pass.
+    - If left blank, the default is used: `SOURCE_AWS_S3_KEY_PASS`.
+- `Server Certificate Path`: The path to the certificate file that has been signed by your Certificate Authority (CA) root file in DER or PEM (X.509).
+- `CA Certificate Path`: The path to the certificate file that is your Certificate Authority (CA) Root File in DER or PEM (X.509).
+- `Private Key Path`: The path to the `.key` private key file that belongs to your Server Certificate Path in DER or PEM (PKCS#8) format.
 
 ## Set the environment variables
 
diff --git a/content/en/observability_pipelines/sources/fluent.md b/content/en/observability_pipelines/sources/fluent.md
index be124f35c83..8651f67a126 100644
--- a/content/en/observability_pipelines/sources/fluent.md
+++ b/content/en/observability_pipelines/sources/fluent.md
@@ -13,7 +13,16 @@ Use Observability Pipelines' Fluentd or Fluent Bit source to receive logs from t
 
 Select and set up this source when you [set up a pipeline][1]. The information below are for the source settings in the pipeline UI.
 
-Optionally, toggle the switch to enable TLS. If you enable TLS, the following certificate and key files are required.<br>**Note**: All file paths are made relative to the configuration data directory, which is `/var/lib/observability-pipelines-worker/config/` by default. See [Advanced Worker Configurations][2] for more information. The file must be owned by the `observability-pipelines-worker group` and `observability-pipelines-worker` user, or at least readable by the group or user.
+- 1. Enter the identifier for your Fluent address.
+    - **Note**: Only enter the identifier for the address. Do **not** enter the actual address.
+    - If left blank, the default is used: `SOURCE_FLUENT_ADDRESS`.
+
+### Optional settings
+
+Toggle the switch to **Enable TLS**. If you enable TLS, the following certificate and key files are required.<br>**Note**: All file paths are made relative to the configuration data directory, which is `/var/lib/observability-pipelines-worker/config/` by default. See [Advanced Worker Configurations][2] for more information. The file must be owned by the `observability-pipelines-worker group` and `observability-pipelines-worker` user, or at least readable by the group or user.
+- Enter the identifier for your Fluent key pass.
+    - **Note**: Only enter the identifier for the key pass. Do **not** enter the actual key pass.
+    - If left blank, the default is used: `SOURCE_FLUENT_KEY_PASS`.
 - `Server Certificate Path`: The path to the certificate file that has been signed by your Certificate Authority (CA) Root File in DER or PEM (X.509) format.
 - `CA Certificate Path`: The path to the certificate file that is your Certificate Authority (CA) Root File in DER or PEM (X.509) format.
 - `Private Key Path`: The path to the `.key` private key file that belongs to your Server Certificate Path in DER or PEM (PKCS#8) format.
diff --git a/content/en/observability_pipelines/sources/google_pubsub.md b/content/en/observability_pipelines/sources/google_pubsub.md
index 4e5ef74273d..d2c16d84054 100644
--- a/content/en/observability_pipelines/sources/google_pubsub.md
+++ b/content/en/observability_pipelines/sources/google_pubsub.md
@@ -20,7 +20,7 @@ Select and set up this source when you [set up a pipeline][1]. The information b
 1. Enter the subscription name.
 1. Select the decoder you want to use (Bytes, GELF, JSON, syslog).
 1. Optionally, toggle the switch to enable TLS. If you enable TLS, the following certificate and key files are required.<br>**Note**: All file paths are made relative to the configuration data directory, which is `/var/lib/observability-pipelines-worker/config/` by default. See [Advanced Worker Configurations][3] for more information. The file must be owned by the `observability-pipelines-worker group` and `observability-pipelines-worker` user, or at least readable by the group or user.
-    - `Server Certificate Path`: The path to the certificate file that has been signed by your Certificate Authority (CA) Root File in DER or PEM (X.509).
+    - `Server Certificate Path`: The path to the certificate file that has been signed by your Certificate Authority (CA) root file in DER or PEM (X.509).
     - `CA Certificate Path`: The path to the certificate file that is your Certificate Authority (CA) Root File in DER or PEM (X.509).
     - `Private Key Path`: The path to the `.key` private key file that belongs to your Server Certificate Path in DER or PEM (PKCS #8) format.
 
diff --git a/content/en/observability_pipelines/sources/http_client.md b/content/en/observability_pipelines/sources/http_client.md
index 0f2a8fa7102..6a78660d8e4 100644
--- a/content/en/observability_pipelines/sources/http_client.md
+++ b/content/en/observability_pipelines/sources/http_client.md
@@ -15,16 +15,36 @@ Select and set up this source when you [set up a pipeline][1]. The information b
 
 To configure your HTTP/S Client source:
 
-1. Select your authorization strategy.
-2. Select the decoder you want to use on the HTTP messages. Logs pulled from the HTTP source must be in this format.
-3. Optionally, toggle the switch to enable TLS. If you enable TLS, the following certificate and key files are required.<br>**Note**: All file paths are made relative to the configuration data directory, which is `/var/lib/observability-pipelines-worker/config/` by default. See [Advanced Worker Configurations][2] for more information. The file must be owned by the `observability-pipelines-worker group` and `observability-pipelines-worker` user, or at least readable by the group or user.
+1. Enter the identifier for your HTTP Client endpoint URL.
+    - **Note**: Only enter the identifier for the endpoint URL. Do **not** enter the actual endpoint URL.
+    - If left blank, the default is used: `SOURCE_HTTP_CLIENT_ENDPOINT_URL`.
+1. Select your authorization strategy. If you selected:
+   - **Basic**:
+      - Enter the identifier for your HTTP Client username.
+         - If left blank, the default is used: `SOURCE_HTTP_CLIENT_USERNAME`.
+      Enter the identifier for your HTTP Client password.
+         - If left blank, the default is used: `SOURCE_HTTP_CLIENT_PASSWORD`.
+   - **Bearer**: Enter the identifier for your bearer token.
+      - If left blank, the default is used: `SOURCE_HTTP_CLIENT_BEARER_TOKEN`.
+1. Select the decoder you want to use on the HTTP messages. Logs pulled from the HTTP source must be in this format.
+
+### Optional settings
+
+#### Enable TLS
+Toggle the switch to **Enable TLS**. If you enable TLS, the following certificate and key files are required.<br>**Note**: All file paths are made relative to the configuration data directory, which is `/var/lib/observability-pipelines-worker/config/` by default. See [Advanced Worker Configurations][2] for more information. The file must be owned by the `observability-pipelines-worker group` and `observability-pipelines-worker` user, or at least readable by the group or user.
+   - Enter the identifier for your HTTP Client key pass.
+         - **Note**: Only enter the identifier for the key pass. Do **not** enter the actual key pass.
+         - If left blank, the default is used: `SOURCE_HTTP_CLIENT_KEY_PASS`
    - `Server Certificate Path`: The path to the certificate file that has been signed by your Certificate Authority (CA) Root File in DER or PEM (X.509) format.
    - `CA Certificate Path`: The path to the certificate file that is your Certificate Authority (CA) Root File in DER or PEM (X.509) format.
    - `Private Key Path`: The path to the `.key` private key file that belongs to your Server Certificate Path in DER or PEM (PKCS#8) format.
-4. Enter the interval between scrapes.
+
+#### Scrape settings
+
+- Enter the interval between scrapes.
    - Your HTTP Server must be able to handle GET requests at this interval.
    - Since requests run concurrently, if a scrape takes longer than the interval given, a new scrape is started, which can consume extra resources. Set the timeout to a value lower than the scrape interval to prevent this from happening.
-5. Enter the timeout for each scrape request.
+- Enter the timeout for each scrape request.
 
 ## Set the environment variables
 
diff --git a/content/en/observability_pipelines/sources/http_server.md b/content/en/observability_pipelines/sources/http_server.md
index 547b3d8268c..0a8691e1eb6 100644
--- a/content/en/observability_pipelines/sources/http_server.md
+++ b/content/en/observability_pipelines/sources/http_server.md
@@ -17,12 +17,25 @@ Select and set up this source when you [set up a pipeline][1]. The information b
 
 To configure your HTTP/S Server source, enter the following:
 
-1. Select your authorization strategy.
+1. Enter the identifier for your HTTP Server address.
+    - **Note**: Only enter the identifier for the address. Do **not** enter the actual address.
+    - If left blank, the default is used: `SOURCE_HTTP_SERVER_ADDRESS`.
+1. Select your authorization strategy. If you selected **Basic**:
+    - Enter the identifier for your HTTP Server username.
+        - If left blank, the default is used: `SOURCE_HTTP_SERVER_USERNAME`.
+    Enter the identifier for your HTTP Server password.
+        - If left blank, the default is used: `SOURCE_HTTP_SERVER_PASSWORD`.
 1. Select the decoder you want to use on the HTTP messages. Your HTTP client logs must be in this format. **Note**: If you select `bytes` decoding, the raw log is stored in the `message` field.
-1. Optionally, toggle the switch to enable TLS. If you enable TLS, the following certificate and key files are required.<br>**Note**: All file paths are made relative to the configuration data directory, which is `/var/lib/observability-pipelines-worker/config/` by default. See [Advanced Worker Configurations][2] for more information. The file must be owned by the `observability-pipelines-worker group` and `observability-pipelines-worker` user, or at least readable by the group or user.
-    - `Server Certificate Path`: The path to the certificate file that has been signed by your Certificate Authority (CA) Root File in DER or PEM (X.509).
-    - `CA Certificate Path`: The path to the certificate file that is your Certificate Authority (CA) Root File in DER or PEM (X.509).
-    - `Private Key Path`: The path to the `.key` private key file that belongs to your Server Certificate Path in DER or PEM (PKCS #8) format.
+
+### Optional settings
+
+Toggle the switch to **Enable TLS**. If you enable TLS, the following certificate and key files are required.<br>**Note**: All file paths are made relative to the configuration data directory, which is `/var/lib/observability-pipelines-worker/config/` by default. See [Advanced Worker Configurations][2] for more information. The file must be owned by the `observability-pipelines-worker group` and `observability-pipelines-worker` user, or at least readable by the group or user.
+- Enter the identifier for your HTTP Server key pass.
+    - **Note**: Only enter the identifier for the key pass. Do **not** enter the actual key pass.
+    - If left blank, the default is used: `SOURCE_HTTP_SERVER_KEY_PASS`.
+- `Server Certificate Path`: The path to the certificate file that has been signed by your Certificate Authority (CA) root file in DER or PEM (X.509).
+- `CA Certificate Path`: The path to the certificate file that is your Certificate Authority (CA) Root File in DER or PEM (X.509).
+- `Private Key Path`: The path to the `.key` private key file that belongs to your Server Certificate Path in DER or PEM (PKCS #8) format.
 
 ## Set the environment variables
 
diff --git a/content/en/observability_pipelines/sources/kafka.md b/content/en/observability_pipelines/sources/kafka.md
index 04d40f9ac42..a8474f8bebc 100644
--- a/content/en/observability_pipelines/sources/kafka.md
+++ b/content/en/observability_pipelines/sources/kafka.md
@@ -15,18 +15,41 @@ You can also [send Azure Event Hub logs to Observability Pipelines using the Kaf
 
 Select and set up this source when you [set up a pipeline][1]. The information below is for the source settings in the pipeline UI.
 
+<div class="alert alert-danger">Only enter the identifiers for the Kafka servers, username, and password. Do <b>not</b> enter the actual values.</a></div>
+
+1. Enter the identifier for your Kafka servers.
+    - If left blank, the default is used: `SOURCE_KAFKA_BOOTSTRAP_SERVERS`.
+1. Enter the identifier for your Kafka username.
+    - If left blank, the default is used: `SOURCE_KAFKA_SASL_USERNAME`.
+1. Enter the identifier for your Kafka password.
+    - If left blank, the default is used: `SOURCE_KAFKA_SASL_PASSWORD`.
 1. Enter the group ID.
 1. Enter the topic name. If there is more than one, click **Add Field** to add additional topics.
-1. Optionally, toggle the switch to enable SASL Authentication and select the mechanism (**PLAIN**, **SCHRAM-SHA-256**, or **SCHRAM-SHA-512**) in the dropdown menu.
-1. Optionally, toggle the switch to enable TLS. If you enable TLS, the following certificate and key files are required.<br>**Note**: All file paths are made relative to the configuration data directory, which is `/var/lib/observability-pipelines-worker/config/` by default. See [Advanced Worker Configurations][5] for more information. The file must be owned by the `observability-pipelines-worker group` and `observability-pipelines-worker` user, or at least readable by the group or user.
-    - `Server Certificate Path`: The path to the certificate file that has been signed by your Certificate Authority (CA) Root File in DER or PEM (X.509).
-    - `CA Certificate Path`: The path to the certificate file that is your Certificate Authority (CA) Root File in DER or PEM (X.509).
-    - `Private Key Path`: The path to the `.key` private key file that belongs to your Server Certificate Path in DER or PEM (PKCS#8) format.
-1. Optionally, click **Advanced** and click **Add Option** to add additional [librdkafka options](#librdkafka-options).
-    1. Select an option in the dropdown menu.
-    1. Enter a value for that option.
-    1. Check your values against the [librdkafka documentation][4] to make sure they have the correct type and are within the set range.
-    1. Click **Add Option** to add another librdkafka option.
+
+### Optional settings
+
+#### Enable SASL Authentication
+
+1. Toggle the switch to enable **SASL Authentication** 
+1. Select the mechanism (**PLAIN**, **SCHRAM-SHA-256**, or **SCHRAM-SHA-512**) in the dropdown menu.
+
+#### Enable TLS
+
+Toggle the switch to **Enable TLS**. If you enable TLS, the following certificate and key files are required.<br>**Note**: All file paths are made relative to the configuration data directory, which is `/var/lib/observability-pipelines-worker/config/` by default. See [Advanced Worker Configurations][5] for more information. The file must be owned by the `observability-pipelines-worker group` and `observability-pipelines-worker` user, or at least readable by the group or user.
+- Enter the identifier for your Kafka key pass.
+    - **Note**: Only enter the identifier for the key pass. Do **not** enter the actual key pass.
+    - If left blank, the default is used: `SOURCE_KAFKA_KEY_PASS`.
+- `Server Certificate Path`: The path to the certificate file that has been signed by your Certificate Authority (CA) root file in DER or PEM (X.509).
+- `CA Certificate Path`: The path to the certificate file that is your Certificate Authority (CA) Root File in DER or PEM (X.509).
+- `Private Key Path`: The path to the `.key` private key file that belongs to your Server Certificate Path in DER or PEM (PKCS#8) format.
+
+#### Add additional librdkafka options
+
+1. Click **Advanced** and then **Add Option**.
+1. Select an option in the dropdown menu.
+1. Enter a value for that option.
+1. Check your values against the [librdkafka documentation][4] to make sure they have the correct type and are within the set range.
+1. Click **Add Option** to add another librdkafka option.
 
 ## Set the environment variables
 
diff --git a/content/en/observability_pipelines/sources/logstash.md b/content/en/observability_pipelines/sources/logstash.md
index 283a1cf041c..6e5fa7f1472 100644
--- a/content/en/observability_pipelines/sources/logstash.md
+++ b/content/en/observability_pipelines/sources/logstash.md
@@ -15,8 +15,17 @@ You can also use the Logstash source to [send logs to Observability Pipelines us
 
 Select and set up this source when you [set up a pipeline][1]. The information below is for the source settings in the pipeline UI.
 
-Optionally, toggle the switch to enable TLS. If you enable TLS, the following certificate and key files are required.<br>**Note**: All file paths are made relative to the configuration data directory, which is `/var/lib/observability-pipelines-worker/config/` by default. See [Advanced Worker Configurations][3] for more information. The file must be owned by the `observability-pipelines-worker group` and `observability-pipelines-worker` user, or at least readable by the group or user.
-- `Server Certificate Path`: The path to the certificate file that has been signed by your Certificate Authority (CA) Root File in DER or PEM (X.509).
+- Enter the identifier for your Logstash address.
+    - **Note**: Only enter the identifier for the address. Do **not** enter the actual address.
+    - If left blank, the default is used: `SOURCE_LOGSTASH_ADDRESS`.
+
+### Optional settings
+
+Toggle the switch to **Enable TLS**. If you enable TLS, the following certificate and key files are required.<br>**Note**: All file paths are made relative to the configuration data directory, which is `/var/lib/observability-pipelines-worker/config/` by default. See [Advanced Worker Configurations][3] for more information. The file must be owned by the `observability-pipelines-worker group` and `observability-pipelines-worker` user, or at least readable by the group or user.
+- Enter the identifier for your Logstash key pass.
+    - **Note**: Only enter the identifier for the key pass. Do **not** enter the actual key pass.
+    - If left blank, the default is used: `SOURCE_LOGSTASH_KEY_PASS`.
+- `Server Certificate Path`: The path to the certificate file that has been signed by your Certificate Authority (CA) root file in DER or PEM (X.509).
 - `CA Certificate Path`: The path to the certificate file that is your Certificate Authority (CA) Root File in DER or PEM (X.509).
 - `Private Key Path`: The path to the `.key` private key file that belongs to your Server Certificate Path in DER or PEM (PKCS #8) format.
 
diff --git a/content/en/observability_pipelines/sources/opentelemetry.md b/content/en/observability_pipelines/sources/opentelemetry.md
index de3017129c5..a13942a5bbf 100644
--- a/content/en/observability_pipelines/sources/opentelemetry.md
+++ b/content/en/observability_pipelines/sources/opentelemetry.md
@@ -32,7 +32,7 @@ If your forwarders are globally configured to enable SSL, you need the appropria
 ## Set up the source in the pipeline UI
 
 Optionally, toggle the switch to enable TLS. If you enable TLS, the following certificate and key files are required.<br>**Note**: All file paths are made relative to the configuration data directory, which is `/var/lib/observability-pipelines-worker/config/` by default. See [Advanced Worker Configurations][3] for more information. The file must be owned by the `observability-pipelines-worker group` and `observability-pipelines-worker` user, or at least readable by the group or user.
-- `Server Certificate Path`: The path to the certificate file that has been signed by your Certificate Authority (CA) Root File in DER or PEM (X.509).
+- `Server Certificate Path`: The path to the certificate file that has been signed by your Certificate Authority (CA) root file in DER or PEM (X.509).
 - `CA Certificate Path`: The path to the certificate file that is your Certificate Authority (CA) Root File in DER or PEM (X.509).
 - `Private Key Path`: The path to the `.key` private key file that belongs to your Server Certificate Path in DER or PEM (PKCS #8) format.
 
diff --git a/content/en/observability_pipelines/sources/socket.md b/content/en/observability_pipelines/sources/socket.md
index a060f50e190..164f1027d94 100644
--- a/content/en/observability_pipelines/sources/socket.md
+++ b/content/en/observability_pipelines/sources/socket.md
@@ -13,6 +13,9 @@ Use Observability Pipelines' Socket source to send logs to the Worker over a soc
 
 Select and set up this source when you [set up a pipeline][1]. The information below is for the source settings in the pipeline UI.
 
+1.  Enter the identifier for your socket address.
+    - **Note**: Only enter the identifier for the address. Do **not** enter the actual address.
+    - If left blank, the default is used: `SOURCE_SOCKET_ADDRESS`.
 1. In the **Mode** dropdown menu, select the socket type to use.
 1. In the **Framing** dropdown menu, select how to delimit the stream of events.
     <table>
@@ -48,8 +51,19 @@ Select and set up this source when you [set up a pipeline][1]. The information b
         </tr>
     </table>
 
+### Optional settings
+
+If you selected **TCP** mode, toggle the switch to **Enable TLS**. The following certificate and key files are required for TLS.<br>**Note**: All file paths are made relative to the configuration data directory, which is `/var/lib/observability-pipelines-worker/config/` by default. See [Advanced Worker Configurations][2] for more information. The file must be owned by the `observability-pipelines-worker group` and `observability-pipelines-worker` user, or at least readable by the group or user.
+- Enter the identifier for your socket key pass.
+    - **Note**: Only enter the identifier for the key pass. Do **not** enter the actual key pass.
+    - If left blank, the default is used: `SOURCE_SOCKET_KEY_PASS`.
+- `Server Certificate Path`: The path to the certificate file that has been signed by your Certificate Authority (CA) root file in DER or PEM (X.509).
+- `CA Certificate Path`: The path to the certificate file that is your Certificate Authority (CA) Root File in DER or PEM (X.509).
+- `Private Key Path`: The path to the `.key` private key file that belongs to your Server Certificate Path in DER or PEM (PKCS #8) format.
+
 ## Set the environment variables
 
 {{% observability_pipelines/configure_existing_pipelines/source_env_vars/socket %}}
 
-[1]: /observability_pipelines/configuration/set_up_pipelines/
\ No newline at end of file
+[1]: /observability_pipelines/configuration/set_up_pipelines/
+[2]: /observability_pipelines/configuration/install_the_worker/advanced_worker_configurations/
\ No newline at end of file
diff --git a/content/en/observability_pipelines/sources/splunk_hec.md b/content/en/observability_pipelines/sources/splunk_hec.md
index 31d3e8a4eaf..e3dce84097a 100644
--- a/content/en/observability_pipelines/sources/splunk_hec.md
+++ b/content/en/observability_pipelines/sources/splunk_hec.md
@@ -15,8 +15,17 @@ Use Observability Pipelines' Splunk HTTP Event Collector (HEC) source to receive
 
 Select and set up this source when you [set up a pipeline][1]. The information below is for the source settings in the pipeline UI.
 
-Optionally, toggle the switch to enable TLS. If you enable TLS, the following certificate and key files are required.<br>**Note**: All file paths are made relative to the configuration data directory, which is `/var/lib/observability-pipelines-worker/config/` by default. See [Advanced Worker Configurations][5] for more information. The file must be owned by the `observability-pipelines-worker group` and `observability-pipelines-worker` user, or at least readable by the group or user.
-- `Server Certificate Path`: The path to the certificate file that has been signed by your Certificate Authority (CA) Root File in DER or PEM (X.509).
+- Enter the identifier for your Splunk HEC address.
+    - **Note**: Only enter the identifier for the address. Do **not** enter the actual address.
+    - If left blank, the default is used: `SOURCE_SPLUNK_HEC_ADDRESS`.
+
+### Optional settings
+
+Toggle the switch to **Enable TLS**. If you enable TLS, the following certificate and key files are required.<br>**Note**: All file paths are made relative to the configuration data directory, which is `/var/lib/observability-pipelines-worker/config/` by default. See [Advanced Worker Configurations][5] for more information. The file must be owned by the `observability-pipelines-worker group` and `observability-pipelines-worker` user, or at least readable by the group or user.
+- Enter the identifier for your Splunk HEC key pass.
+    - **Note**: Only enter the identifier for the key pass. Do **not** enter the actual key pass.
+    - If left blank, the default is used: `SOURCE_SPLUNK_HEC_KEY_PASS`.
+- `Server Certificate Path`: The path to the certificate file that has been signed by your Certificate Authority (CA) root file in DER or PEM (X.509).
 - `CA Certificate Path`: The path to the certificate file that is your Certificate Authority (CA) Root File in DER or PEM (X.509).
 - `Private Key Path`: The path to the `.key` private key file that belongs to your Server Certificate Path in DER or PEM (PKCS#8) format.
 
diff --git a/content/en/observability_pipelines/sources/splunk_tcp.md b/content/en/observability_pipelines/sources/splunk_tcp.md
index 4f8747119d7..87b7485e33b 100644
--- a/content/en/observability_pipelines/sources/splunk_tcp.md
+++ b/content/en/observability_pipelines/sources/splunk_tcp.md
@@ -13,8 +13,17 @@ Use Observability Pipelines' Splunk Heavy and Universal Forwards (TCP) source to
 
 Select and set up this source when you [set up a pipeline][1]. The information below is for the source settings in the pipeline UI.
 
-Optionally, click the toggle to enable TLS. If you enable TLS, the following certificate and key files are required:
-- `Server Certificate Path`: The path to the certificate file that has been signed by your Certificate Authority (CA) Root File in DER or PEM (X.509).
+- Enter the identifier for your Splunk TCP address.
+    - **Note**: Only enter the identifier for the address. Do **not** enter the actual address.
+    - If left blank, the default is used: `SOURCE_SPLUNK_TCP_ADDRESS`.
+
+### Optional settings
+
+Click the toggle to **Enable TLS**. If you enable TLS, the following certificate and key files are required:
+- Enter the identifier for your Splunk TCP key pass.
+    - **Note**: Only enter the identifier for the key pass. Do **not** enter the actual key pass.
+    - If left blank, the default is used: `SOURCE_SPLUNK_TCP_KEY_PASS`.
+- `Server Certificate Path`: The path to the certificate file that has been signed by your Certificate Authority (CA) root file in DER or PEM (X.509).
 - `CA Certificate Path`: The path to the certificate file that is your Certificate Authority (CA) Root File in either DER or PEM (X.509).
 - `Private Key Path`: The path to the `.key` private key file that belongs to your Server Certificate Path in DER or PEM (PKCS#8) format.
 
diff --git a/content/en/observability_pipelines/sources/sumo_logic.md b/content/en/observability_pipelines/sources/sumo_logic.md
index 7ec7494e35d..2bdaef257f5 100644
--- a/content/en/observability_pipelines/sources/sumo_logic.md
+++ b/content/en/observability_pipelines/sources/sumo_logic.md
@@ -13,7 +13,13 @@ Use Observability Pipelines' Sumo Logic Hosted Collector source to receive logs
 
 Select and set up this source when you [set up a pipeline][1]. The information below is for the source settings in the pipeline UI.
 
-Optionally, in the **Decoding** dropdown menu, select whether your input format is raw **Bytes**, **JSON**, Graylog Extended Log Format (**Gelf**), or **Syslog**. If no decoding is selected, the decoding defaults to JSON.
+- Enter the identifier for your Sumo Logic address.
+    - **Note**: Only enter the identifier for the address. Do **not** enter the actual address.
+    - If left blank, the default is used: `SOURCE_SUMO_LOGIC_ADDRESS`.
+
+### Optional settings
+
+In the **Decoding** dropdown menu, select whether your input format is raw **Bytes**, **JSON**, Graylog Extended Log Format (**Gelf**), or **Syslog**. If no decoding is selected, the decoding defaults to JSON.
 
 ## Set the environment variables
 
diff --git a/content/en/observability_pipelines/sources/syslog.md b/content/en/observability_pipelines/sources/syslog.md
index 6ee161d43b2..4c455965910 100644
--- a/content/en/observability_pipelines/sources/syslog.md
+++ b/content/en/observability_pipelines/sources/syslog.md
@@ -17,11 +17,20 @@ Select and set up this source when you [set up a pipeline][1]. The information b
 
 To configure your Syslog source:
 
+1. Enter the identifier for your syslog address.
+    - **Note**: Only enter the identifier for the address. Do **not** enter the actual address.
+    - If left blank, the default is used: `SOURCE_SYSLOG_ADDRESS`.
 1. In the **Socket Type** dropdown menu, select the communication protocol you want to use: **TCP** or **UDP**.
-2. Optionally, toggle the switch to enable TLS. If you enable TLS, the following certificate and key files are required.<br>**Note**: All file paths are made relative to the configuration data directory, which is `/var/lib/observability-pipelines-worker/config/` by default. See [Advanced Worker Configurations][6] for more information. The file must be owned by the `observability-pipelines-worker group` and `observability-pipelines-worker` user, or at least readable by the group or user.
-   - `Server Certificate Path`: The path to the certificate file that has been signed by your Certificate Authority (CA) Root File in DER or PEM (X.509) format.
-   - `CA Certificate Path`: The path to the certificate file that is your Certificate Authority (CA) Root File in DER or PEM (X.509) format.
-   - `Private Key Path`: The path to the `.key` private key file that belongs to your Server Certificate Path in DER or PEM (PKCS#8) format.
+
+### Optional settings
+
+Toggle the switch to **Enable TLS**. If you enable TLS, the following certificate and key files are required.<br>**Note**: All file paths are made relative to the configuration data directory, which is `/var/lib/observability-pipelines-worker/config/` by default. See [Advanced Worker Configurations][6] for more information. The file must be owned by the `observability-pipelines-worker group` and `observability-pipelines-worker` user, or at least readable by the group or user.
+- Enter the identifier for your syslog key pass.
+    - **Note**: Only enter the identifier for the key pass. Do **not** enter the actual key pass.
+    - If left blank, the default is used: `SOURCE_SYSLOG_KEY_PASS`.
+- `Server Certificate Path`: The path to the certificate file that has been signed by your Certificate Authority (CA) Root File in DER or PEM (X.509) format.
+- `CA Certificate Path`: The path to the certificate file that is your Certificate Authority (CA) Root File in DER or PEM (X.509) format.
+- `Private Key Path`: The path to the `.key` private key file that belongs to your Server Certificate Path in DER or PEM (PKCS#8) format.
 
 ## Set the environment variables
 
diff --git a/layouts/shortcodes/observability_pipelines/set_secrets_intro.en.md b/layouts/shortcodes/observability_pipelines/set_secrets_intro.en.md
new file mode 100644
index 00000000000..a88553b0aef
--- /dev/null
+++ b/layouts/shortcodes/observability_pipelines/set_secrets_intro.en.md
@@ -0,0 +1,3 @@
+These are the defaults used for secret identifiers and environment variables.
+
+**Note**: If you enter identifiers for your secrets and then choose to use environment variables, the environment variable is the identifier entered and prepended with `DD_OP`. For example, if you entered `PASSWORD_1` for a password identifier, the environment variable for that password is `DD_OP_PASSWORD_1`.
\ No newline at end of file