Hi,
I have installed collectd on a server and I am trying to send metrics using the write_splunk plugin.
My server http port is 8088 and the SSL is disabled.
The write_splunk as written in /etc/collectd.conf configuration is:
server "10.163.0.X"
port "8088"
token "TOKEN"
ssl false
verifyssl false
The data is not reaching the splunk instance.
When i read the collectd logs it is writing:
[error] write splunk plugin: curl_easy_perform failed to connect to 10.163.0.X:8088 with status 35: SSL connect error.
I am unable to enable SSL in my server.
Thank you in advance
John
↧
curl 35 error SSL connect error
↧
Indexers SSL Problem
Hi guys.
I'm trying to configure my two indexers to receive data with SSL.
My inputs.conf configuration is:
# BASE SETTINGS
# [Splunktcp: // 9997]
[Splunktcp-ssl: // 9997]
# SSL SETTINGS
[SSL]
rootCA = $SPLUNK_HOME / etc / apps / MY_all_certificates / certs / MY_CA.pem
serverCert = $SPLUNK_HOME / etc / apps / MY_all_certificates / certs / MY_host.pem
sslPassword = mypassword
requireClientCert = true
# If using compressed = true, it must be set on the forwarder outputs as well.
# compressed = true
But I get an error on Indexers in splunkd:
ERROR TcpInputConfig - SSL context cannot be created two required serverCert parameter from [SSL] room. Will not open splunk to splunk (SSL) IPv4 port 9997
The problem is that it does not specify what the parameter is.
Thanks.
↧
↧
SSL cert expired for 'https://mint.splunk.com'
The ssl cert for 'https://mint.splunk.com' was expired on 26 September 2019 and the console seems no longer work.
When will the cert be renewed?
Thanks
↧
Disable SSL2, SSL3 and TLS1.0 globally
Hi
We have a clustered index setup (two indexers) on 7.1.1 and 3 search heads (unclustered). What is the recommended method to disable SSL and TLS1.0 globally on all forwarders, indexers and search heads with this setup ?
Thanks
↧
How do I set up inputs.conf to allow for a cloud application to send syslog over a SSL connection?
Our anti-virus application is located in the "cloud" and is sending syslog data to the indexer over TCP port 6514. The application has the ability to use SSL to encrypt this data. Looking at previous answers, it looks like I should add [tcp-ssl://6514] to \etc\system\local\inputs.conf. After modifing the config and changing the remote end to use SSL, I get gibberish like this -
\x00\x00\x00\x00\x00\x00
index = avprogram source = tcp:6514 sourcetype = syslog
When I remove the SSL requirement from the remote end, the data shows up as correct. It looks to me that I am missing a setting to decrypt the incoming data.
Any suggestions on what I need to do?
↧
↧
SSL error while trying to connect JAMF using modular input
I get the following error while trying to connect JAMf through modular input.
ERROR[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:676)
↧
Force TLS 1.1+ for index replication
Our vulnerability scanner keeps hitting on SSLv3 on the port 8080 replication ports of our index cluster. I've added the following to server.conf:
`[sslConfig]
sslVersion = tls, -tls1.0`
Yet we are still getting hits for SSLv3 on the cluster nodes. Below is the full output of the btool server listing:
`[sslConfig]
allowSslCompression = true
allowSslRenegotiation = true
caCertFile = $SPLUNK_HOME/etc/auth/cacert.pem
caPath = $SPLUNK_HOME/etc/auth
certCreateScript = $SPLUNK_HOME/bin/splunk, createssl, server-cert
cipherSuite = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256:AES128-SHA256
ecdhCurves = prime256v1, secp384r1, secp521r1
enableSplunkdSSL = true
sendStrictTransportSecurityHeader = false
serverCert = $SPLUNK_HOME/etc/auth/server.pem
sslPassword = XXXXXXXXXXX
sslVersions = tls, -tls1.0
sslVersionsForClient = tls1.2
useClientSSLCompression = true
useSplunkdClientSSLCompression = true
`
↧
Not able to install any app.
Hi All,
While installing any app, I am getting some SSL Error. Can someone help me in fixing this. Below is the error msg. Please let me know in case anything needed from me.
Unexpected error downloading update: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed - please check the output of the `openssl verify` command for the certificates involved; note that if certificate verification is enabled (requireClientCert or sslVerifyServerCert set to "true"), the CA certificate and the server certificate should not have the same Common Name.
↧
No SSL certificate validation can be performed since no CA file has been provided
Splunk version 6.5.2
Getting the below error on Splunk SH with ES,
2019-10-25T00:45:02.649Z W CONTROL No SSL certificate validation can be performed since no CA file has been provided; please specify an sslCAFile parameter
2019-10-25T00:45:02.677Z F NETWORK The provided SSL certificate is expired or not yet valid.
2019-10-25T00:45:02.677Z I - Fatal Assertion 28652
2019-10-25T00:45:02.677Z I -
***aborting after fassert() failure
Troubleshooting - The cert installed is client's own cert and is still valid till dec 2020.
Another thing I already checked was the permission on `/opt/splunk/var/lib/splunk/kvstore/mongo/splunk.key` and verified is as per below,
ls -l /opt/splunk/var/lib/splunk/kvstore/mongo/splunk.key
-r--------. 1 splunk splunk 88 May 25 2017 /opt/splunk/var/lib/splunk/kvstore/mongo/splunk.key
Please advise how I can fix this issue. Thanks
↧
↧
Configure Splunk with SSL with 3rd party certificates - Web doesnt start
Hi! We are trying to setup our splunk instance (still Trial license for now - Windows platform) with SSL so that we can send emails due to Alerts happening.
We were getting an error:
command="sendemail", [SSL:
WRONG_VERSION_NUMBER] wrong version
number
I assumed that we need first to configure SSL so I went ahead and followed the steps on "Getthird-partycertificatesforSplunkWeb"
(no karma to post links :))
We already had a server certificate running on this machine (where splunk is to be mainly used for application monitoring) so we should be able to reuse it.
I am able to see the output for the root cert, intermediate and server certificate, have combined all the cert in one PEM file and loaded the key as well (which I can see without password)
This is how my web.conf looks like
[settings]
enableSplunkWebSSL = 1
sslVersions = *
privKeyPath =
serverCert =
httpport=8000
startwebserver = 1
When restarting splunk, the web interface just doesnt boot up and I only see (admin console "splunk restart")
Starting splunk server daemon (splunkd)...
Splunkd: Starting (pid 18528)
Done
This is hanging here.
If I go to web_service.log, there are no entries older than:
2019-11-19 14:45:06,832 INFO [5dd3f1e087183bab1288] root:727 - CONFIG: version_number (str): 4.0
2019-11-19 14:45:06,832 INFO [5dd3f1e087183bab1288] root:727 - CONFIG: x_frame_options_sameorigin (bool): True
2019-11-19 14:45:06,840 INFO [5dd3f1e087183bab1288] root:166 - ENGINE: Bus STARTING
2019-11-19 14:45:06,840 INFO [5dd3f1e087183bab1288] _cplogging:216 - [19/Nov/2019:14:45:06] ENGINE Bus STARTING
2019-11-19 14:45:06,871 INFO [5dd3f1e087183bab1288] root:166 - ENGINE: Set handler for console events.
2019-11-19 14:45:06,871 INFO [5dd3f1e087183bab1288] _cplogging:216 - [19/Nov/2019:14:45:06] ENGINE Set handler for console events.
2019-11-19 14:45:07,085 INFO [5dd3f1e087183bab1288] root:166 - ENGINE: Serving on http://127.0.0.1:8065
2019-11-19 14:45:07,086 INFO [5dd3f1e087183bab1288] _cplogging:216 - [19/Nov/2019:14:45:07] ENGINE Serving on http://127.0.0.1:8065
2019-11-19 14:45:07,086 INFO [5dd3f1e087183bab1288] root:166 - ENGINE: Bus STARTED
2019-11-19 14:45:07,086 INFO [5dd3f1e087183bab1288] _cplogging:216 - [19/Nov/2019:14:45:07] ENGINE Bus STARTED
2019-11-19 14:45:07,175 INFO [5dd3f1e32c183d821ac8] _cplogging:216 - [19/Nov/2019:14:45:07] storage_type is deprecated. Supply storage_class instead
2019-11-19 14:45:07,177 INFO [5dd3f1e32c183d821ac8] root:166 - ENGINE: Started monitor thread 'Monitor'.
2019-11-19 14:45:07,177 INFO [5dd3f1e32c183d821ac8] _cplogging:216 - [19/Nov/2019:14:45:07] ENGINE Started monitor thread 'Monitor'.
On a different terminal (running on admin too), if I run the restart, I see in the previous console the following next lines:
Waiting for web server at https://127.0.0.1:8000 to be available
WARNING: web interface does not seem to be available!
On the latest console, its again stuck on
"Done." and hangs there.
now for the actual questions:
- Is my assumption correct, that the first error with the email sending and configuration is related with the overall SSL configuration (which is linked to the web config then)?
- If yes, am I doing something wrong in the setup? Where could i see more logs?
Thanks a lot!
↧
Splunk forwarder not working
Hi Splunkers,
One of my Universal forwarder was down for a month. So when i noticed I restarted the services back again but it is not coming up. I am facing the below error. Can someone please help
Splunk> Needle. Haystack. Found.
Checking prerequisites...
Checking mgmt port [8089]: open
Assertion failed: _linkp == nullptr, file /home/build/build-src/orangeswirl/src/util/TimeoutHeap.cpp, line 46
Dying on signal #6 (si_code=0), sent by PID 0 (UID 0). Attempting to clean up pidfile
ERROR: pid 8454562 terminated with signal 6
SSL certificate generation failed.
Can someone please assist
↧
SSL Errors in the Splunk Cluster Master
11-01-2019 06:57:28.448 +0000 ERROR SSLCommon - Can't read CA list
11-01-2019 06:57:28.448 +0000 ERROR ServerConfig - Couldn't initialize SSL Context for HTTPClient in ServerConfig
11-01-2019 06:57:28.448 +0000 ERROR HTTPServer - SSL will not be enabled
↧
SSLKEYSFILEPASSWORD
Hello All,
I have internal private certs for our Splunk environment. Currently after I install a UF on Windows or Linux I have to edit the etc\system\local\server.conf file to change the sslkeysfilepassword. If I do not change password it will never check in with the deployment server. Is there a way to set the sslkeysfilepassword at the time of installation?
thanks
ed
↧
↧
Splunk Http Event Collector Socket Error
I've been trying for a few days now to setup a HEC on a Splunk Heavy Forwarder and having issues with the splunkd process binding to the default tcp/8088 port.
I can see this error within the splunkd.log
FATAL HTTPServer - Could not bind to port 8088
However, I can verify that my localhost is listening on the port
netstat -tulpn | grep 8088
tcp 129 0 0.0.0.0:8088 0.0.0.0:* LISTEN 13924/splunkd
Also you can notice the queue filling up on that port
I've configured the Splunk HEC global settings on the Splunk Web UI already and enabled the http input in the inputs.conf file already.
I've configured to accept connections over SSL and enabled those settings also within the inputs.conf file as well
[http]
enableSSL = 1
#requireClientCert = false
#privKeyPath = /opt/splunk/etc/auth/splunk-certs/splunkforwarder.key
serverCert = /opt/splunk/etc/auth/splunk-certs/splunkforwarder.pem
#rootCA = /opt/splunk/etc/auth/splunk-certs/ca-chain.pem
Any help would be greatly appreciated!
↧
ERROR ending mail and configuration settings in email
Error sending Email
"command="sendemail", [SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:741) while sending mail to: XXXXX@XXXXX.com"
from search head to able to telnet/ping SMTP server and vise versa. But enabled ports in 433, 465 in AWS firewall its not eble to work in search head only port 25 am able to see in search head.
please provide solution to generate pdf attached report in SMTP email or suggest app in splunkbase.
**Query Used**: * | top 5 hosts | sendemail to=XXXXX@XXXXX.com
**Email Settings used**:
**Mail host** : smtp.XXXXX.production:25
**Email security**: Enable SSL
**Username**:
**Password**: XXXX
**Link hostname**:
↧
connection in jupyeter notebook has SSL wrong infos
[SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:1056)
import splunklib.results as results
import splunklib.client as client
import io, os, sys, types,datetime,math,time
import ssl
from io import StringIO
# Data Manipulation
import random
import numpy as np
import pandas as pd
# Your Splunk Instance
HOST = "10.10.xxx"
PORT = xxx
USERNAME = "test"
PASSWORD = "test!"
# Create a Service instance and Attempt Connection to Splunk
print(ssl.OPENSSL_VERSION)
try:
service = client.connect(host=HOST, port=PORT, username=USERNAME, password=PASSWORD)
print("Connection Successful")
except Exception as e:
print(str(e))
↧
Event not detected by indexer on [splunktcp-ssl] port
I configured splunk to ingest logs on port 9338 with SSL enabled.
TCP dump on the port shows log data being received, but when I search on the indexer, this event is not captured
sudo tcpdump -i any port 9338
21 packets captured
42 packets received by filter
0 packets dropped by kernel
the log file in my /opt/splunk/var/log/splunk/splunkd.log
01-23-2020 06:26:37.519 +0000 INFO TcpInputConfig - IPv4 port 9336 is reserved for raw input
01-23-2020 06:26:37.519 +0000 INFO TcpInputConfig - IPv4 port 9336 will negotiate s2s protocol level 6
01-23-2020 06:26:37.519 +0000 INFO TcpInputConfig - IPv4 port 9337 is reserved for raw input
01-23-2020 06:26:37.519 +0000 INFO TcpInputConfig - IPv4 port 9337 will negotiate s2s protocol level 6
01-23-2020 06:26:37.519 +0000 INFO TcpInputConfig - IPv4 port 9338 is reserved for raw input
01-23-2020 06:26:37.519 +0000 INFO TcpInputConfig - IPv4 port 9338 will negotiate s2s protocol level 6
01-23-2020 06:26:37.519 +0000 INFO TcpInputConfig - Creating FwdDataSSLConfig SSL context. Will open port=IPv4 port 9338 with compression=1
01-23-2020 06:26:37.520 +0000 INFO TcpInputConfig - IPv4 port 9338 is reserved for splunk 2 splunk (SSL)
01-23-2020 06:26:37.520 +0000 INFO TcpInputConfig - IPv4 port 9338 will negotiate s2s protocol level 6
01-23-2020 06:26:38.343 +0000 WARN HttpListener - Socket error from 127.0.0.1:44420 while idling: error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request
Please how can I fix this?
↧
↧
Forwarder load balancing over SSL to indexer cluster ?
Currently trying to load balance data from forwarder to indexer cluster ( idx1 & idx2) over ssl .
So this configuration is correct at forwarder outputs.conf?
[tcpout]
defaultGroup = LB
[tcpout:LB]
server = idx2:9998,idx1:9998
clientCrt = XXX
sslPassword = XXX
sslVerifyServerCert = XXX
problem statement - already try above configuration but LB happening only on idx2 until I make following change in idx1 inputs.conf
##here i know that data is not moving over SSL
[splunktcp://9998]
connection_host = ip
[splunktcp-ssl:9998]
disabled = 0
[SSL]
serverCert = XXX
sslPassword = XXX
requireClientCert = false
idx2 inputs.conf
[splunktcp-ssl:9998]
disabled = 0
[SSL]
serverCert = XXX
sslPassword = XXX
requireClientCert = false
↧
TCP Data Input and SSL
Hi there.
I trying to configure Splunk to receiving data from TCP port 514.
I using default Splunk certificates witch are generated in /opt/splunk/etc/auth
I configured inputs.conf :
[tcp-ssl:514]
sourcetype = syslog
[SSL]
rootCA = /opt/splunk/etc/auth/cacert.pem
serverCert = /opt/splunk/etc/auth/server.pem
On my network device I configured to send syslog to my Splunk server address via Tcp port 514 and import cacert.pem
After that i can't explore logs via this device but logos are hashed.
What I am doing wrong?
↧
How to configure sending encrypted syslog via TCP
Hi.
I am struggling with this since few days. :(
I sure that I don't understand some steps correct so that's the reason.
So I trying to configure sendings logs from my NAS servers (Synology) to my Splunk instance.
Logs are correctly receiving when I not use SSL in my Synology sendings log configuration. But when I enable SSL and import certificate in Synology then the logs are receiving but are hashed.
**I searching for simple instruction how to set up Splunk to receiving Input Data via TCP and self-signed certificate.**
I generated certificates with this instruction
https://docs.splunk.com/Documentation/Splunk/8.0.2/Security/Howtoself-signcertificates
I generated files in /opt/splunk/etc/auth/mycerts
- CACertificate.csr
- CACertificate.pem
- CAPrivate.key
- ServerCertificate.csr
- ServerCertificate.pem
- ServerPrivate.key
After that I configure my Synology to sendings log via TCP port 514 with enabled SSL and imported CACertificate.pem
So I still don't understand how to configure Inputs.conf and server.conf in my Splunk Server to receiving ssl syslog over TCP
I've tried to configure like:
**inputs.conf**
[tcp-ssl:514]
sourcetype = syslog
[SSL]
rootCA = /opt/splunk/etc/auth/mycerts/CACertificate.pem
serverCert = /optsplunk/etc/auth/mycerts/ServerCertificate.pem
What I am doing wrong.
↧