We have configured an intermediary hf, C and 2 HFs - A and B connecting to C.
The HF A is able to establish connection and send data to HF C over ssl but the HF B is not.
We need your help fixing this.
Forwarder A can SSL-communicate with intermediary forwarder C.
Forwarder B can NOT SSL-communicate with intermediary forwarder C.
A and C are in the same chassis/compartment and B is not.
* Log messages
- A has no problem:
02-19-2020 23:38:26.344 +0000 INFO TcpOutputProc - Connected to idx=1.2.3.4:9997, pset=0, reuse=0. using ACK.
- B gets an error below;
02-19-2020 23:41:09.861 +0000 ERROR TcpOutputFd - Connection to host=1.2.3.4:9997 failed. sock_error = 104. SSL Error = error:00000000:lib(0):func(0):reason(0)
↧
ERROR TcpOutputFd - Connection to host=c:9997 failed. sock_error = 104. SSL Error = error:00000000:lib(0):func(0):reason(0)
↧
Splunk SSL Error with Python
Morning everyone,
Came in to work today and seeing this error. Anyone familiar with it? What's the impact and fix? Stock install of Splunk with no custom certs.
03-16-2020 03:01:55.285 -0700 ERROR ExecProcessor - message from "/opt/splunk/bin/python2.7 /opt/splunk/etc/apps/splunk_instrumentation/bin/instrumentation.py" HTTPSConnectionPool(host='e1345286.api.splkmobile.com', port=443): Max retries exceeded with url: /1.0/e1345286/81416994-c2ef-5c6f-a3de-68fb09953b0d/100/0?hash=none (Caused by SSLError(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:742)'),))
↧
↧
sslRootCAPath windows forwarders
As per the document below:
https://docs.splunk.com/Documentation/Splunk/7.3.3/Security/ConfigureSplunkforwardingtousesignedcertificates#Configure_your_forwarders_to_use_your_certificates
We have to define sslRootCAPath under server.conf only on Linux machine and not for windows.
In windows ,where we mention this attribute?
↧
useSSL doesn't seem to work in 8.0.2.1
I am trying to set up my forwarders to use SSL without having to use the built in client certs on version 8.0.2.1. It looks like the option useSSL in the outputs.conf file doesn't do what the documentation says.
In https://docs.splunk.com/Documentation/Splunk/8.0.2/Admin/Outputsconf it says
* Whether or not the forwarder uses SSL to connect to the receiver, or relies
on the 'clientCert' setting to be active for SSL connections.
* If set to "true", then the forwarder uses SSL to connect to the receiver.
* Default: legacy
Here is my outputs.conf file
[tcpout]
defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
server = splunkserver:9997
useSSL = true
Here is the inputs.conf file on the server
[splunktcp-ssl://9997]
connection_host = ip
[SSL]
requireClientCert = false
serverCert = $SPLUNK_HOME/etc/auth/servercert.pem
#Use sslPassword = password
sslPassword = password
This outputs.conf file does work
[tcpout]
defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
server = splunkserver:9997
useSSL = true
clientCert = $SPLUNK_HOME/etc/auth/server.pem
sslPassword = password
↧
How to configure Splunk Enterprise in front of AWS ELB instance
We have deployed Splunk Enterprise on an EC2 instance behind a classic ELB in AWS with HTTPS enabled (screenshots attached). Splunk runs in plain HTTP in the default port but we have set in our web.conf the following
tools.proxy.base=https://
tools.proxy.on=true
Though when we visit the Splunk HTTPS, we can see the login page and authenticate successfully , then it redirects us in a https://127.0.0.1:8000/en-US/app/launcher and not our ELB URL. Help appreciated.
↧
↧
how to config SSL for db connector
Hi,
We need to use SSL while build connection with ms ssql server, Pls tell me how to config SSL in db connector app? how to import the certificates?
↧
Additional SSL Verification
Hey everyone.
First time SSL setup (IDX & UF both v8.x) and cert creation (never done before). Had a question about verifying if things worked. I walked through splunk docs and got to the point of verifying connection.
https://docs.splunk.com/Documentation/Splunk/8.0.2/Security/Validateyourconfiguration
On my IDX i can run:
index=_internal source=*metrics.log* group=tcpin_connections |
dedup hostname | table _time hostname version sourceIp destPort ssl
I do get expected result returned port (9998) and SSL = true.
BUT this was the only part of the instructions that i could follow to verify SSL items. I can't find anything else within Splunkd or index=_* referencing what is being mentioned in the validating procedures for the UF portion. I can see that the UF has the following output in splunkd "Connected to idx=10.202.20.229:9998". This UF is only setup to forward to the one server over port 9998.
The next steps i followed where on this page https://docs.splunk.com/Documentation/Splunk/8.0.2/Security/Troubleshootyouforwardertoindexerauthentication
openssl s_client -connect :
and the expected output mentioned Verify return code: 0 (ok) was instead returning code: 18 (self signed certificate).
Then on the UF i attempted to monitor a random log file that i update. On the main Splunk server i can see the data come in.
I'm just second guessing if i did things correctly given i wasn't able to validate internal Splunk logs.
UF
server.conf
[sslConfig]
sslRootCAPath = /opt/splunkforwarder/etc/auth/myCerts/myCACertificate.pem
sslPassword =
outputs.conf
[SSL]
[tcpout]
defaultGroup = group1
[tcpout:group1]
server = 10.202.20.229:9998
disabled = 0
clientCert = /opt/splunkforwarder/etc/auth/myCerts/myNewSplunkForwarderCert.pem
useClientSSLCompression = true
sslPassword =
IDX
inputs.conf
[splunktcp-ssl:9998]
disabled = 0
[SSL]
serverCert = /opt/splunk/etc/auth/myCerts/myNewSplunkIndexerCert.pem
sslPassword =
requireClientCert = "true"
server.conf
[sslConfig]
sslRootCAPath = /opt/splunk/etc/auth/myCerts/myCACertificate.pem
sslPassword =
↧
How to Disable SSL Validation in Gitlab Add-on?
I am facing following error while trying to collect logs from gitlab add on. Can anyone help me disable it. Changing the verify=True to False tor Http request function in base_modinput.py did not help as suggested on other similar question on this issue.
2020-03-31 11:33:18,582 ERROR pid=793 tid=MainThread file=base_modinput.py:log_error:307 | Get error when collecting events.
Traceback (most recent call last):
File "/base/splunk/etc/apps/TA-gitlab-add-on/bin/ta_gitlab_add_on/modinput_wrapper/base_modinput.py", line 127, in stream_events
self.collect_events(ew)
File "/base/splunk/etc/apps/TA-gitlab-add-on/bin/get_events.py", line 72, in collect_events
input_module.collect_events(self, ew)
File "/base/splunk/etc/apps/TA-gitlab-add-on/bin/input_module_get_events.py", line 166, in collect_events
headers=headers)
File "/base/splunk/etc/apps/TA-gitlab-add-on/bin/ta_gitlab_add_on/modinput_wrapper/base_modinput.py", line 476, in send_http_request
proxy_uri=self._get_proxy_uri() if use_proxy else None)
File "/base/splunk/etc/apps/TA-gitlab-add-on/bin/ta_gitlab_add_on/splunk_aoblib/rest_helper.py", line 43, in send_http_request
return self.http_session.request(method, url, **requests_args)
File "/base/splunk/etc/apps/TA-gitlab-add-on/bin/ta_gitlab_add_on/requests/sessions.py", line 488, in request
resp = self.send(prep, **send_kwargs)
File "/base/splunk/etc/apps/TA-gitlab-add-on/bin/ta_gitlab_add_on/requests/sessions.py", line 609, in send
r = adapter.send(request, **kwargs)
File "/base/splunk/etc/apps/TA-gitlab-add-on/bin/ta_gitlab_add_on/requests/adapters.py", line 497, in send
raise SSLError(e, request=request)
SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:741)
↧
Secure splunk enterprise cluster deployment with SSL / mutual TLS
Hi,
We are deploying splunk enterprise in aws and we want to know how and which all components to be ssl secured.
Few points about our cluster and we have to bind with these constraints
1. There are no forwarders. ( I see splunk recommend to use forwarders but we choose other route) and so no deployment server
2. HEC is enabled in indexers and our java based application sends data to hec indexers.
3. Out company provides all required certs for ssl and we have to use these certs
Our sample cluster would be something like 3 search heads in SHC, 1 cluster/license master, 7 indexers in indexer cluster and a deployer
Here are my few questions about securing different components of our cluster
1. Following https://docs.splunk.com/Documentation/Splunk/7.3.3/Security/SecureSplunkWebusingasignedcertificate to secure splunk web(search heads) with own certs. Do we need to still perform this step if we have our search head cluster fronted by a https load balancer.If yes, any detailed explanation would be helpful
2. Do we need to have mutual TLS between Search heads in SHC and indexers in Indexer cluster? Since both are clusters, search heads communicates first with master and then with indexers. so how can we secure communication between shs and indexers with own certs?
3. How to secure communication between our HEC indexers and the java based application? We are planning to have our HEC indexers fronted by a https load balancer. How to achieve secure communication in this regard with own certs?
4. Is there any other channels that we need to secure with own certs apart from above?
I know these are big list of questions, but any help here will really help us build a secure cluster.
Any help is highly appreciated.
Thanks in Advance.
↧
↧
SSL/TLS on a TCP data input?
I need to setup a TCP data input and I need to ensure that it is SSL/TLS.
I understand that I can add a stanza to an inputs.conf file as referenced in this post:
https://answers.splunk.com/answers/684045/how-to-enable-tcp-data-input-with-ssl.html?utm_source=typeahead&utm_medium=newquestion&utm_campaign=no_votes_sort_relev
My question is - which inputs.conf file? The data is coming in to my Search Head server and there are a bunch of apps installed there, each with their own inputs.conf file. Which one controls the TCP Data Inputs?
Thanks.
↧
Getting "unsupported certificate purpose" ERROR when enabling SSL on management port with requireClientCert = true
Hi All,
I want to enable SSL for Splunk management port(8089) for securing inter-splunk communications. I have below settings in my Cluster Master server.conf
[sslConfig]
enableSplunkdSSL = true
useClientSSLCompression = true
sslVersions = tls1.2
serverCert = $SPLUNK_HOME/etc/auth/mycerts/server-chain-with-key.pem
sslRootCAPath = $SPLUNK_HOME/etc/auth/mycerts/ca-chain.pem
sslVerifyServerCert = true
requireClientCert = true
But I see below errors in **CM Splunkd.log**
ERROR X509Verify - X509 certificate (CN=XXXX,OU=YYYY,O=ZZZ..) failed validation; error=26, reason="unsupported certificate purpose"
WARN SSLCommon - Received fatal SSL3 alert. ssl_state='SSLv3 read client certificate B', alert_description='unsupported certificate'.
WARN HttpListener - Socket error from :47154 while idling: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed - please check the output of the `openssl verify` command for the certificates involved; note that if certificate verification is enabled (requireClientCert or sslVerifyServerCert set to "true"), the CA certificate and the server certificate should not have the same Common Name.
And I see this in my Indexer splunkd.log
WARN SSLCommon - Received fatal SSL3 alert. ssl_state='SSLv3 read server session ticket A', alert_description='unsupported certificate'.
Can anyone help me in understanding why I'm seeing this issue? I have gone thru lot of answers and even the 2015 .conf slides, but do not understand why ***requireClientCert*** should be made ***false***.I don't see anyone explaining the reason for this.
I basically want to enable mutual authentication between CM and indexers on management port and hence made ***requireClientCert = true***. Is mutual TLS supported by Splunk on management port? If yes, how should I provide client certs for mTLS?
Thanks in advance
↧
Tcpout Processor: The TCP output processor has paused the data flow. Forwarding to output group {{ redacted }} has been blocked for 30 seconds
I have a new Splunk deployment with a multi-site index cluster. I currently have setup heavy forwarders using indexer discovery and assigning them to the primary site. In my DMC all health checks and index cluster status look good, and we as the index cluster status when looking on the master. In splunkd.log on the index peers and master, I have no errors. I have setup an ssl input on the index cluster and do not have a non-ssl input enabled. I have configured the heavy forwarders output.conf to useSSL. To keep things simple right now, I am not requiring a client cert in the indexer's input.conf.
The problem I am seeing is in the heavy forwarder's splunkd.log, and it states: Tcpout Processor: The TCP output processor has paused the data flow. Forwarding to output group {{ redacted }} has been blocked for 30 seconds
I have verified connectivity to the master and index peers from the heavy forwarders and have verified connectivity to the input port on the index peers from the heavy forwarders.
Any thoughts?
↧
Indexer/UF SSL: requireClientCert and SSL3_GET_RECORD:wrong version number (7.3.2)
Hello,
I have been working to enable SSL between a UF and an indexer and am not sure if I follow the usage of the requireClientCert option. It seems to me the purpose of this option is disabling a two-way handshake between the forwarder and indexer, but the behavior I am seeing is counter to that thought.
If I do not point the forwarder's output.conf to a clientCert and sslPassword, I receive this error in the indexer log:
*04-27-2020 19:48:52.747 +0000 ERROR TcpInputProc - Error encountered for connection from src=my_fwdr_ip:38694. error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number*
That's a pretty generic error, but in most cases it means there was a handshake issue between a client and server. Shouldn't the requireClientCert=false negate the necessity for the forwarder to present a cert back to the indexer? Is this a bug?
Below are my .confs
**inputs.conf on indexer**
[default]
host = myhost.mycodomain
[splunktcp-ssl:9997]
disabled = 0
[SSL]
serverCert = /opt/splunk/etc/auth/myco_certs/mychain.pem
sslPassword =
requireClientCert = false
**outputs.conf on UF**
[tcpout]
disabled = false
defaultGroup = splkgroup1
[tcpout:splkgroup1]
server = 123.456.123.456:9997
disabled = 0
sslCommonNameToCheck = myco.com
sslVerifyServerCert = true
↧
↧
Getting authentication error when adding new input for Google Cloud Platform add-on: SSL: CERTIFICATE_VERIFY_FAILED.
Hi guys,
We want to onboard some data from the Cloud Storage Bucket of our GCP platform.
When adding a new input, we have this error:
Unexpected error "" from python handler: "(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:741)'),)". See splunkd.log for more details.
I searched Splunkd log, and we have these error messages:
ERROR Failed to execute function=handleList, error=Traceback (most recent call last):
File "/opt/splunk/etc/apps/Splunk_TA_google-cloudplatform/bin/splunktalib/common/pattern.py", line 44, in __call__
return func(*args, **kwargs)
File "/opt/splunk/etc/apps/Splunk_TA_google-cloudplatform/bin/splunk_ta_gcp/resthandlers/projects.py", line 38, in handleList
res_mgr = grm.GoogleResourceManager(logger, config)
File "/opt/splunk/etc/apps/Splunk_TA_google-cloudplatform/bin/splunk_ta_gcp/legacy/resource_manager.py", line 51, in __init__
self._client = gwc.create_google_client(self._config)
File "/opt/splunk/etc/apps/Splunk_TA_google-cloudplatform/bin/splunk_ta_gcp/legacy/common.py", line 210, in create_google_client
client = discovery.build(config["service_name"], config["version"], http=http, cache_discovery=False)
File "/opt/splunk/etc/apps/Splunk_TA_google-cloudplatform/bin/3rdparty/oauth2client/util.py", line 137, in positional_wrapper
return wrapped(*args, **kwargs)
File "/opt/splunk/etc/apps/Splunk_TA_google-cloudplatform/bin/3rdparty/googleapiclient/discovery.py", line 229, in build
requested_url, discovery_http, cache_discovery, cache)
File "/opt/splunk/etc/apps/Splunk_TA_google-cloudplatform/bin/3rdparty/googleapiclient/discovery.py", line 276, in _retrieve_discovery_doc
resp, content = http.request(actual_url)
File "/opt/splunk/etc/apps/Splunk_TA_google-cloudplatform/bin/httplib2shim/google_auth.py", line 201, in request
uri, method, body=body, headers=request_headers, **kwargs)
File "/opt/splunk/etc/apps/Splunk_TA_google-cloudplatform/bin/httplib2_helper/httplib2_py2/httplib2/__init__.py", line 2135, in request
cachekey,
File "/opt/splunk/etc/apps/Splunk_TA_google-cloudplatform/bin/httplib2_helper/httplib2_py2/httplib2/__init__.py", line 1796, in _request
conn, request_uri, method, body, headers
File "/opt/splunk/etc/apps/Splunk_TA_google-cloudplatform/bin/httplib2shim/__init__.py", line 171, in _conn_request
raise _map_exception(e)
SSLError: (SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:741)'),)
And this:
ERROR AdminManagerExternal - Stack trace from python handler:\nTraceback (most recent call last):\n File "/opt/splunk/lib/python2.7/site-packages/splunk/admin.py", line 131, in init\n hand.execute(info)\n File "/opt/splunk/lib/python2.7/site-packages/splunk/admin.py", line 595, in execute\n if self.requestedAction == ACTION_LIST: self.handleList(confInfo)\n File "/opt/splunk/etc/apps/Splunk_TA_google-cloudplatform/bin/splunktalib/common/pattern.py", line 44, in __call__\n return func(*args, **kwargs)\n File "/opt/splunk/etc/apps/Splunk_TA_google-cloudplatform/bin/splunk_ta_gcp/resthandlers/projects.py", line 38, in handleList\n res_mgr = grm.GoogleResourceManager(logger, config)\n File "/opt/splunk/etc/apps/Splunk_TA_google-cloudplatform/bin/splunk_ta_gcp/legacy/resource_manager.py", line 51, in __init__\n self._client = gwc.create_google_client(self._config)\n File "/opt/splunk/etc/apps/Splunk_TA_google-cloudplatform/bin/splunk_ta_gcp/legacy/common.py", line 210, in create_google_client\n client = discovery.build(config["service_name"], config["version"], http=http, cache_discovery=False)\n File "/opt/splunk/etc/apps/Splunk_TA_google-cloudplatform/bin/3rdparty/oauth2client/util.py", line 137, in positional_wrapper\n return wrapped(*args, **kwargs)\n File "/opt/splunk/etc/apps/Splunk_TA_google-cloudplatform/bin/3rdparty/googleapiclient/discovery.py", line 229, in build\n requested_url, discovery_http, cache_discovery, cache)\n File "/opt/splunk/etc/apps/Splunk_TA_google-cloudplatform/bin/3rdparty/googleapiclient/discovery.py", line 276, in _retrieve_discovery_doc\n resp, content = http.request(actual_url)\n File "/opt/splunk/etc/apps/Splunk_TA_google-cloudplatform/bin/httplib2shim/google_auth.py", line 201, in request\n uri, method, body=body, headers=request_headers, **kwargs)\n File "/opt/splunk/etc/apps/Splunk_TA_google-cloudplatform/bin/httplib2_helper/httplib2_py2/httplib2/__init__.py", line 2135, in request\n cachekey,\n File "/opt/splunk/etc/apps/Splunk_TA_google-cloudplatform/bin/httplib2_helper/httplib2_py2/httplib2/__init__.py", line 1796, in _request\n conn, request_uri, method, body, headers\n File "/opt/splunk/etc/apps/Splunk_TA_google-cloudplatform/bin/httplib2shim/__init__.py", line 171, in _conn_request\n raise _map_exception(e)\nSSLError: (SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:741)'),)\n
So is there a way to add our own CA cert to avoid the SSL error, or is there a way to turn-off SSL verification?
Many thanks,
S
↧
Getting authentication error when adding new input for Splunk Add-on for Google Cloud Platform: SSL: CERTIFICATE_VERIFY_FAILED.
Hi guys,
We want to onboard some data from the Cloud Storage Bucket of our GCP platform.
When adding a new input, we have this error:
Unexpected error "" from python handler: "(SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:741)'),)". See splunkd.log for more details.
I searched Splunkd log, and we have these error messages:
ERROR Failed to execute function=handleList, error=Traceback (most recent call last):
File "/opt/splunk/etc/apps/Splunk_TA_google-cloudplatform/bin/splunktalib/common/pattern.py", line 44, in __call__
return func(*args, **kwargs)
File "/opt/splunk/etc/apps/Splunk_TA_google-cloudplatform/bin/splunk_ta_gcp/resthandlers/projects.py", line 38, in handleList
res_mgr = grm.GoogleResourceManager(logger, config)
File "/opt/splunk/etc/apps/Splunk_TA_google-cloudplatform/bin/splunk_ta_gcp/legacy/resource_manager.py", line 51, in __init__
self._client = gwc.create_google_client(self._config)
File "/opt/splunk/etc/apps/Splunk_TA_google-cloudplatform/bin/splunk_ta_gcp/legacy/common.py", line 210, in create_google_client
client = discovery.build(config["service_name"], config["version"], http=http, cache_discovery=False)
File "/opt/splunk/etc/apps/Splunk_TA_google-cloudplatform/bin/3rdparty/oauth2client/util.py", line 137, in positional_wrapper
return wrapped(*args, **kwargs)
File "/opt/splunk/etc/apps/Splunk_TA_google-cloudplatform/bin/3rdparty/googleapiclient/discovery.py", line 229, in build
requested_url, discovery_http, cache_discovery, cache)
File "/opt/splunk/etc/apps/Splunk_TA_google-cloudplatform/bin/3rdparty/googleapiclient/discovery.py", line 276, in _retrieve_discovery_doc
resp, content = http.request(actual_url)
File "/opt/splunk/etc/apps/Splunk_TA_google-cloudplatform/bin/httplib2shim/google_auth.py", line 201, in request
uri, method, body=body, headers=request_headers, **kwargs)
File "/opt/splunk/etc/apps/Splunk_TA_google-cloudplatform/bin/httplib2_helper/httplib2_py2/httplib2/__init__.py", line 2135, in request
cachekey,
File "/opt/splunk/etc/apps/Splunk_TA_google-cloudplatform/bin/httplib2_helper/httplib2_py2/httplib2/__init__.py", line 1796, in _request
conn, request_uri, method, body, headers
File "/opt/splunk/etc/apps/Splunk_TA_google-cloudplatform/bin/httplib2shim/__init__.py", line 171, in _conn_request
raise _map_exception(e)
SSLError: (SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:741)'),)
And this:
ERROR AdminManagerExternal - Stack trace from python handler:\nTraceback (most recent call last):\n File "/opt/splunk/lib/python2.7/site-packages/splunk/admin.py", line 131, in init\n hand.execute(info)\n File "/opt/splunk/lib/python2.7/site-packages/splunk/admin.py", line 595, in execute\n if self.requestedAction == ACTION_LIST: self.handleList(confInfo)\n File "/opt/splunk/etc/apps/Splunk_TA_google-cloudplatform/bin/splunktalib/common/pattern.py", line 44, in __call__\n return func(*args, **kwargs)\n File "/opt/splunk/etc/apps/Splunk_TA_google-cloudplatform/bin/splunk_ta_gcp/resthandlers/projects.py", line 38, in handleList\n res_mgr = grm.GoogleResourceManager(logger, config)\n File "/opt/splunk/etc/apps/Splunk_TA_google-cloudplatform/bin/splunk_ta_gcp/legacy/resource_manager.py", line 51, in __init__\n self._client = gwc.create_google_client(self._config)\n File "/opt/splunk/etc/apps/Splunk_TA_google-cloudplatform/bin/splunk_ta_gcp/legacy/common.py", line 210, in create_google_client\n client = discovery.build(config["service_name"], config["version"], http=http, cache_discovery=False)\n File "/opt/splunk/etc/apps/Splunk_TA_google-cloudplatform/bin/3rdparty/oauth2client/util.py", line 137, in positional_wrapper\n return wrapped(*args, **kwargs)\n File "/opt/splunk/etc/apps/Splunk_TA_google-cloudplatform/bin/3rdparty/googleapiclient/discovery.py", line 229, in build\n requested_url, discovery_http, cache_discovery, cache)\n File "/opt/splunk/etc/apps/Splunk_TA_google-cloudplatform/bin/3rdparty/googleapiclient/discovery.py", line 276, in _retrieve_discovery_doc\n resp, content = http.request(actual_url)\n File "/opt/splunk/etc/apps/Splunk_TA_google-cloudplatform/bin/httplib2shim/google_auth.py", line 201, in request\n uri, method, body=body, headers=request_headers, **kwargs)\n File "/opt/splunk/etc/apps/Splunk_TA_google-cloudplatform/bin/httplib2_helper/httplib2_py2/httplib2/__init__.py", line 2135, in request\n cachekey,\n File "/opt/splunk/etc/apps/Splunk_TA_google-cloudplatform/bin/httplib2_helper/httplib2_py2/httplib2/__init__.py", line 1796, in _request\n conn, request_uri, method, body, headers\n File "/opt/splunk/etc/apps/Splunk_TA_google-cloudplatform/bin/httplib2shim/__init__.py", line 171, in _conn_request\n raise _map_exception(e)\nSSLError: (SSLError(1, u'[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:741)'),)\n
So is there a way to add our own CA cert to avoid the SSL error, or is there a way to turn-off SSL verification?
Many thanks,
S
↧
Cannot figure out SSL configuration beween Indexer and Forwarders (7.3.4)
I have followed all of Splunk's documentation to be able to use certificates signed by a local Certificate Authority and have tried to set up the SSL configuration in server.conf, inputs.conf, and outputs.conf, but no matter what the connection between Indexer and Forwarders cannot be established because the Indexer actively refuses to allow this connection.
For the configuration of SSL in the forwarders I have a custom app that is pushed using the Deployment Server capabilities.
The server.conf in the indexer's .../system/local:
[sslConfig]
sslRootCAPath = /path/to/RootCA.pem
sslVersions = tls1.2
The inputs.conf in the indexer's .../system/local:
[splunktcp-ssl://9997]
connection_host = ip
disabled = 0
[SSL]
serverCert = /path/to/serverCert.pem
requireClientCert = true
sslVersions = tls1.2
The server.conf in the forwarder's .../app//local
[sslConfig]
sslRootCAPath = /path/to/app/RootCA.pem
sslVersions = tls1.2
The outputs.conf in the forwarder's .../app//local
[tcpout]
useSSL = true
clientCert = /path/to/app/clientCert.pem
useACK = true
sslVersions = tls1.2
Essentially, I have three .pem files, RootCA.pem (this one in the server.conf of both Indexer and Forwader), serverCert.pem (this one in the inputs.conf of the Indexer), and clientCert.pem (this one in the outputs.conf in the Forwarder). I want to make sure that communication between Deployment Server and Forwarder does not require certificates as I am trying to install the Forwarders with a script and have it pull the certificates and configuration so it can then communicate with the receiving port (9997).
What am I doing wrong? I followed these instructions:
https://docs.splunk.com/Documentation/Splunk/7.3.4/Security/HowtoprepareyoursignedcertificatesforSplunk
https://docs.splunk.com/Documentation/Splunk/7.3.4/Security/ConfigureSplunkforwardingtousesignedcertificates
And I am running Splunk 7.3.4
↧
how to implement ssl in outputs.conf
More than 70% of forwarding destinations have failed. Ensure your hosts and ports in outputs.conf are correct. Also ensure that the indexers are all running, and that any SSL certificates being used for forwarding are correct.
↧
↧
Splunk Enterprise 8089 Vulnerability Scan Results: Resolve these SSL errors when not using SSL?
Hello our splunk forwarder only on our nessus instance is generating findings on port 8089. Our splunk doesn't use the universal forwarder's SSL (we implemented our own wrapper). So why is it trying to create a connection on 8089 (even though our firewall is blocking it).
I'm required to scan my Splunk Enterprise environment for compliance reasons. When I'm scanning my search heads and indexers ,I keep getting multiple SSL errors for the management port 8089. I've searched and haven't found a way figure out a method to upload a third party cert to fix this or if this is something that I'll just have to make not isn't fixable. I've included some of the vulnerability issues I've found. Not sure if opening a ticket with support would get me the information I need.
SSL Certificate with Wrong Hostname
SSL Certificate Cannot Be Trusted
SSL Self-Signed Certificate
↧
DB connect problem sql server
Hello,
I'm having problems when trying to connect to a database through DB Input, when I click on validate the following error message appears:
"com.zaxxer.hikari.pool.HikariPool $ PoolInitializationException: failed to initialize the pool: the driver was unable to establish a secure connection to SQL Server using Secure Sockets Layer (SSL) encryption. Error:" SQL Server did not return a answer. The connection has ended. ClientConnectionId: 5d293ec3-b435-4981-9f69-31103f087942 ".
I tried with the SSL option enabled and disabled, but both without success.![alt text][1]
Can someone help me?
Thank you!
Att,
Jefferson
[1]: /storage/temp/291757-13-00-35.png
↧
How to forward all indexed data from all indexes from heavy forwarder to another instance over ssl?
I am using Splunk Free, and the Splunk add-on for AWS, attempting to index and forward generic s3 data with a custom index name to a Splunk Enterprise instance. It looks like data is being indexed, and the ssl connection is connecting, but not forwarding data. I have indexed data that shows in the web client. I am getting the following repeated output in splunkd.log
05-21-2020 10:23:16.119 -0400 INFO TcpOutputProc - Found currently active indexer. Connected to idx=ip:9998, reuse=1.
05-21-2020 10:23:25.150 -0400 INFO LMStackMgr - license_warnings_update_interval=auto has reached the minimum threshold 10. Will not reduce license_warnings_update_interval beyond this value
In outputs.conf to account for sending all indexes I used 'forwardedindex.0.whitelist = .*'
inputs.conf
[default]
host = hostname
disabled=0
outputs.conf
[tcpout]
defaultGroup = default-autolb-group
indexAndForward = true
disabled = false
forwardedindex.0.whitelist = .*
[tcpout:default-autolb-group]
compressed = true
server = ip:9998
clientCert = /opt/splunk/etc/auth/server.pem
sslPassword = passwordHere
sslRootCAPath = /opt/splunk/etc/auth/ca.pem
sslVerifyServerCert = false
sendCookedData = true
What is the required change in my forwarder configuration?
↧