After now dealing a few hours with this common problem, here is my working solution for the actual wowza streaming engine 4.

Unfortunately module "moduleOnConnectAuthenticate2" from the Wowza Module Collection (Version 4) actually does not work with both applications (XSPLIT, FFMPEG).
Details for this module can be found here:

The neccessary information for a working solution is somehow already described here:

See: How-to-secure-publishing-from-an-RTMP-encoder-that-does-not-support-authentication-(ModuleSecureURLParams)

Here is my ABSTRACT:

1. Turn off RTMP-Authentication for the desired application (e.g. "xsplit")

2. Add the module "ModuleSecureURLParams"

Note: Adding a new module might need advanced administrator properties

3. Add a private "URL-Token" (~password) for all RTMP publishers

That's it !

Sample settings in XSPLIT Custom RTMP-Channel properties (Version 1.3.1405.2901):

  RTMP URL:       rtmp://<wowza ip>:1935/xsplit?doPublish=12345
  Stream Name:  mystream
  User Agent:      FMLE/3.0
(Note: First use "Test bandwith" option here to check valid RMTP Login)

FFMPEG command line mit RTMP-Authentication:

ffmpeg -i  <input source> ...  -f  flv  "rtmp://<wowza ip>:1935/xsplit?doPublish=12345/mystream"
(ffmpeg version N-66232-g5e3da25)

- Actualy you cannot combine this URL Secure-Token method and the standard RTMP-Authentication.
- Remember that the whole RTMP-URL is *not* encrypted while transmitted over the Network to the Wowza Server.