To engineer one of my DATA sources using the REST API, I have to disable HTTPS in server.conf.
Could any splunk-ers tell me, what are, if any, the effects on Splunkd and my deployment process? I presume it will be insecure, but I am unsure of any diverse effects because it is not recommended by Splunk.
↧
What are the effects on a distributed deployment if I disable ssl on port 8089?
↧
Is the process different for creating SSL certificates for receiving vs for Splunk Web?
I'm trying to set up new Splunk indexers to replace our older ones. I want to set them up similarly to the old indexers where splunkweb is secured, but also the indexers receive forwarder traffic via SSL.
Our certificates would be signed by our own internal CA which is a process I'm quite familiar with.
I'm the one who created this same setup on the old indexers some time ago, but I was a little unclear about the process so I read through the documentation and the wiki. The only "how to make a certificate for Splunk" information I seem to be able to find indicates the the final server certificate would be composed of the concatenation of
1 signed server certificate
2 public CA certificate
in that order. I find that works perfectly fine for securing splunkweb. However, I've found that this seems insufficient for the receiving port. I get errors in splunkd.log
11-12-2015 21:37:19.279 -0600 ERROR SSLCommon - Can't read certificate file /opt/splunk/etc/auth/mycerts/myindexer.privatekey.pem errno=33558530 error:02001002:system library:fopen:No such file or directory
11-12-2015 21:37:19.279 -0600 ERROR HTTPServer - SSL context could not be created - error in cert or password is wrong
11-12-2015 21:37:19.279 -0600 ERROR HTTPServer - SSL will not be enabled
The private key does not have a password. After further experimentation and noting some comments on the web about this particular openssl error, if I create a server certificate that is the concatenation of
1 signed server certificate
2 server's private key
3 public CA certificate
(again, in that order) then everything works fine -- no errors at startup and 9997 is listening. It seems that that the server certificate on the old indexers has this same combination that includes the private key.
What puzzles me is that I can't find anything in the Splunk docs or the wiki (which I think could use some updating on this topic anyway as for example, Splunk does seem to support password-protected certificates now) about including the private key for any certificate, nor anything indicating that this would be something different between the requirements for a splunkweb certificate file versus one for a receiving certificate file. It doesn't seem as if there's any real harm in combo that includes the private key being used for splunkweb as long as I keep all the certification files as protected as I can with OS permissions. I'm just don't understand why I can't find any documentation that seems to line up with the only way I can make this configuration work.
Am I missing something?
Thanks
↧
↧
Splunk certificates required for 3rd Party Application?
I am making a 3rd party application using Splunk API . I noticed that in server.conf, by toggling the enableSplunkdSSL to true or false secure or unsecure the splunkd port. However, I am not at all friendly with the certs. I need some help regarding certs. I need to make a request to https management port. After adding the default cert to the browser. I can access it, but through the application, I cannot. So to add those certs in the application, which file do I need to add in my application, and how to create those files with the default cert which I am getting from the browser?
How can I import those certs in my application?
Thanks in advance
Regards
↧
How to access https management port from my application when enablesplunkdSSL=true?
I am making a call from a node to a Splunk instance i.e. 8089 port which is running by default on https protocol and uses Splunk Default Certfiicate. So when I make changes to enableSplunkdSSL = false, I am able to access the the 8089 port from my application through http protocol, but when enable it to true with these configuration:
[sslConfig]
enableSplunkdSSL = true
sslKeysfilePassword = ***************
sslKeysfile = server.pem
caCertFile = cacert.pem
caPath = C:/Program Files/Splunk/etc/auth
requireClientCert =false
sslVerifyServerCert =false
certCreateScript = C:/Program Files/Splunk/bin/genSignedServerCert.py
I am not able to hit the the Splunk instance. It's giving me a node error. Does any body know what is the issue here?
Thanks in advance
↧
How to configure a Splunk 6.2.3 search head cluster behind an AWS Elastic Load Balancer (ELB) to terminate SSL?
We are running 6.2.3 and are using search head clustering.
We would like to use an AWS ELB to terminate SSL, and then send the data to port 8000 on the search head nodes. The problem is that Splunk Web will redirect to HTTP and URLs in the UI will be plain HTTP and not HTTPs.
Is it possible to configure Splunk so that it is aware it is behind an SSL proxy?
↧
↧
Custom SSL certificate for deployment server SSLCommonNameToCheck
I am trying to troubleshoot where my issue lies in implementing my own SSL certificates to secure the deployment server to client configuration.
DS server.conf:
[sslConfig]
caCertFile = cacert.crt
caPath = $SPLUNK_HOME/etc/auth/myOrg
requireClientCert = false
sslKeysfile = splunk-ds.ser.cer
sslKeysfilePassword =
sslVersions = tls, -tls1.0
Client server.conf:
[sslConfig]
caCertFile = cacert.crt
caPath = $SPLUNK_HOME/etc/apps/config_uf/auth
sslKeysfile = splunk-uf.ser.cer
sslKeysfilePassword =
sslVersions = tls, -tls1.0
sslVerifyServerCert = true
sslCommonNameToCheck = splunk-ds.myorg.com
Now, it should be noted that my client is connecting to the deployment server by hostname, whereas the common name of the certificate is a DNS name. I have the FQDN listed under the Subject Alternative Name, and according to the documentation for 6.3 you cannot use the SAN list for deployment servers to client communication (I haven't tested this to see if it really doesn't work, that will be my next step).
What I am asking for is if there is a better way to troubleshoot the issue because the splunkd.log is entirely unhelpful as to the issue since this is all it is telling me from the client side:
11-18-2015 14:02:02.132 -0500 INFO DC:DeploymentClient - channel=tenantService/handshake Will retry sending handshake message to DS; err=not_connected
I have only done this to one of my clients, but I can't exactly sift through my deployment server logs very easily since there are over 12,000 systems hitting it. Any pointers? The common name provided in the client data IS the common name of the certificate used, it just isn't the hostname of the system.
Edit: It looks like this is all I can see from the Deployment Server right after it sends all the successful messages stating that the downloaded updates were completed you see a reset of the connection (due to the forwarder restarting) and then this:
11-18-2015 13:34:16.773 -0500 WARN HttpListener - Socket error from 10.10.175.64: Connection reset by peer
11-18-2015 14:01:38.920 -0500 WARN HttpListener - Connection from 10.10.175.64 didn't send us any data, disconnecting
11-18-2015 14:03:25.709 -0500 WARN HttpListener - Connection from 10.10.175.64 didn't send us any data, disconnecting
It is very odd that it takes a 30 minutes before it complains about not receiving any data, I get two messages, and then nothing further beyond that. This is also very unhelpful logs to identify the underlying issue.
↧
Splunk Support for Active Directory: "SSLError at "/opt/splunk/lib/python2.7/ssl.py"...sslv3 alert handshake failure"
Hello,
I am attempting to configure SA-ldapsearch on our Splunk 6.3.1 cluster with search head cluster.
I have installed SA-Ldapsearch on the deployer and pushed the bundle, no issue there. I am logging into a particular search head with the intention to configure the domain connections (and eventually copy the config back to the deployer) but attempting to configure the first domain, clicking "Test Connection" it errors with:
Connection test for default failed
Search
| ldaptestconnection domain="default"
Result
distinguishedName: DC=acme,DC=com
Error
SSLError at "/opt/splunk/lib/python2.7/ssl.py", line 788 : [SSL: SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:595)"
Testing from our test environment to the same Domain Controller works. So I'm thinking something in our production environment is different. Debugging via
./splunk cmd btool server list --debug
doesn't show anything too different outside of the clustering config etc.
egrep -i 'security|ssl|cipher|cert|key' /tmp/debug.txt
/opt/splunk/etc/system/default/server.conf caCertFile = $SPLUNK_HOME/etc/auth/appsCA.pem
/opt/splunk/etc/system/default/server.conf cipherSuite = TLSv1+HIGH:@STRENGTH
/opt/splunk/etc/system/default/server.conf sslCommonNameList = apps.splunk.com
/opt/splunk/etc/system/local/server.conf pass4SymmKey = $1$<>=
/opt/splunk/etc/system/local/server.conf pass4SymmKey = $1<>
/opt/splunk/etc/system/default/server.conf encrypt_fields = "server:sslConfig:sslKeysfilePassword", "server:shclustering:pass4SymmKey", "outputs:tcpout:sslPassword", "inputs:SSL:password", "alert_actions:email:auth_password", "server:shclustering:password", "server:clustering:password", "server:clustering:pass4SymmKey", "server:general:pass4SymmKey", "app:credential:password", "passwords:credential:password", "server:deployment:pass4SymmKey", "authentication: :bindDNpassword", "server:kvstore:sslKeysPassword"
/opt/splunk/etc/system/local/server.conf pass4SymmKey = $1$<.>=
/opt/splunk/etc/system/local/server.conf [sslConfig]
/opt/splunk/etc/system/default/server.conf allowSslCompression = true
/opt/splunk/etc/system/default/server.conf allowSslRenegotiation = true
/opt/splunk/etc/system/local/server.conf caCertFile = ca/RCA-mvmica002.cer
/opt/splunk/etc/system/default/server.conf certCreateScript = $SPLUNK_HOME/bin/splunk, createssl, server-cert
/opt/splunk/etc/system/default/server.conf cipherSuite = TLSv1+HIGH:@STRENGTH
/opt/splunk/etc/system/default/server.conf enableSplunkdSSL = true
/opt/splunk/etc/system/local/server.conf requireClientCert = false # The Splunk for Windows Infrastructure App breaks if this is enabled
/opt/splunk/etc/system/local/server.conf sendStrictTransportSecurityHeader = true
/opt/splunk/etc/system/local/server.conf sslKeysfile = certs/lvmsplunk011.acme.com.pem
/opt/splunk/etc/system/local/server.conf sslKeysfilePassword = $1$Yg==
/opt/splunk/etc/system/default/server.conf sslVersions = *,-ssl2
/opt/splunk/etc/system/local/server.conf supportSSLV3Only = true
/opt/splunk/etc/system/default/server.conf useClientSSLCompression = true
/opt/splunk/etc/system/default/server.conf useSplunkdClientSSLCompression = true
Any suggestions on where to troubleshoot will be appreciated.
↧
Mobile Access to a SearchHead with own SSL Certificate
Hey,
i have a SearchHead in the DMZ for the access with the Splunk Mobile App, connecting to the Management Port 8089. Now I would like to install my own ssl certificates. Do I have to configure this in the web.conf? Actually it doesn't work, maybe someone can give me a hint.
Thanks, Cheers
Sven
↧
Splunk Mobile App: How to configure Mobile Access to a Search Head with own SSL Certificate?
Hey,
I have a Search Head in the DMZ for the access with the Splunk Mobile App, connecting to the Management Port 8089. Now I would like to install my own ssl certificates. Do I have to configure this in the web.conf? Actually it doesn't work, maybe someone can give me a hint.
Thanks, Cheers
Sven
↧
↧
Splunk Support for Active Directory 2.1.1: KeyError at ".../apps/SA-ldapsearch/bin/packages/splunklib/client.py", line 1653 : u'ssl'"
I'm trying to configure version 2.1.1 of the app Splunk Support for Active Directory and I get this error when trying to use it or test the connection. I am using Splunk version 6.3, and I have tried uninstalling and reinstalling the application.
ldap.conf
[default]
alternatedomain = EXAMPLE
basedn = DC=corp,DC=example,DC=com
binddn = splunk
port = 636
server = corp.example.com
ssl = 1
↧
Splunk Support for Active Directory 2.11: KeyError at ".../apps/SA-ldapsearch/bin/packages/splunklib/client.py", line 1653 : u'ssl'"
I'm trying to configure version 2.1.1 of the app Splunk Support for Active Directory and I get this error when trying to use it or test the connection. I am using Splunk version 6.3, and I have tried uninstalling and reinstalling the application.
ldap.conf
[default]
alternatedomain = EXAMPLE
basedn = DC=corp,DC=example,DC=com
binddn = splunk
port = 636
server = corp.example.com
ssl = 1
↧
How do I read SSL Certificates from Custom Folder?
I tried to get my indexer and forwarders communicating using SSL by following [this][1] guide. However, I found that I couldn't get it working without just throwing all of the certificates into auth folder. If I do that it works, but if I try to put the certificates outside of that folder it doesn't. The problem is that updating splunk will overwrite that folder, so I'm trying to keep my certificates in a different folder, which should be possible. I've tried setting the variables I can find to point to the new certificate location, but it provides the following error in splunkd.log and doesn't forward data.
12-02-2015 12:01:32.070 -0500 ERROR SSLCommon - Can't read key file /opt/splunkforwarder/etc/certs/server.pem errno=101077092 error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt.
Because server.pem works fine inside of the auth folder, I'm guessing that the problem is with supporting files. So far I've tried using outputs.conf sslCertPath and sslRootCAPath, as well as server.conf caPath, sslKeysfile, and caCertFile. Below is the contents of my auth folder.
-rwxr-x--- 1 splunk splunk 3050 Dec 2 12:54 ca.pem
-rwxr-x--- 1 splunk splunk 17 Dec 2 12:54 ca.srl
-rwxr-x--- 1 splunk splunk 1216 Dec 2 12:54 cacert.pem
-rwxr-x--- 1 splunk splunk 1834 Dec 2 12:54 cakey.pem
-rwxr-x--- 1 splunk splunk 1013 Dec 2 12:54 careq.pem
-rw------- 1 splunk splunk 1041 Dec 2 12:54 privKeySecure.pem
-rw------- 1 splunk splunk 566 Dec 2 12:54 req.pem
-rwxr-x--- 1 splunk splunk 4386 Dec 2 12:54 server.pem
-r-------- 1 splunk splunk 255 Dec 2 12:54 splunk.secret
drwx------ 2 splunk splunk 512 Dec 2 12:54 splunkweb
I provided ca.pem, ca.srl, cacert.pem, cakey.pem, careq.pem, server.pem from the certificate generation process; I mirrored all of my certificate names with the default file names. Those files (and only those files) are in the certs folder, which is the folder I made that I want to read certs from. Is there some other Certificate location I'm failing to point to? Or is this a problem somewhere else?
Here's my working outputs.conf:
[tcpout]
defaultGroup = splunkssl
[tcpout:splunkssl]
server = 129.52.27.30:9997
compressed = true
[tcpout-server://129.52.27.30:9997]
sslAltNameToCheck = winsplunk
sslCertPath = /opt/splunkforwarder/etc/auth/server.pem
sslCommonNameToCheck = winsplunk
sslPassword = totallyFunctionalHash
sslRootCAPath = /opt/splunkforwarder/etc/auth/cacert.pem
sslVerifyServerCert = true
Here's my working server.conf:
[lmpool:auto_generated_pool_forwarder]
description = auto_generated_pool_forwarder
quota = MAX
slaves = *
stack_id = forwarder
[lmpool:auto_generated_pool_free]
description = auto_generated_pool_free
quota = MAX
slaves = *
stack_id = free
[general]
pass4SymmKey = AnotherFunctionalHash
serverName = afemssplunk
[sslConfig]
sslKeysfilePassword = SameHashAsOutputs.confSSLPassword,CauseThey'reTheSamePassword
cipherSuite = TLSv1+HIGH:@STRENGTH
sslVersions = tls,-ssl2,-ssl3
Here's my failing outputs.conf:
[tcpout]
defaultGroup = splunkssl
[tcpout:splunkssl]
server = 129.52.27.30:9997
compressed = true
[tcpout-server://129.52.27.30:9997]
sslAltNameToCheck = winsplunk
sslCertPath = /opt/splunkforwarder/etc/certs/server.pem
sslCommonNameToCheck = winsplunk
sslPassword = totallyFunctionalHash
sslRootCAPath = /opt/splunkforwarder/etc/certs/cacert.pem
sslVerifyServerCert = true
Here's my failing server.conf:
[lmpool:auto_generated_pool_forwarder]
description = auto_generated_pool_forwarder
quota = MAX
slaves = *
stack_id = forwarder
[lmpool:auto_generated_pool_free]
description = auto_generated_pool_free
quota = MAX
slaves = *
stack_id = free
[general]
pass4SymmKey = AnotherFunctionalHash
serverName = afemssplunk
[sslConfig]
sslKeysfilePassword = SameHashAsOutputs.confSSLPassword,CauseThey'reTheSamePassword
cipherSuite = TLSv1+HIGH:@STRENGTH
sslVersions = tls,-ssl2,-ssl3
sslKeysfile = server.pem
caCertFile = cacert.pem
caPath = /opt/splunkforwarder/etc/certs
[1]: https://answers.splunk.com/answers/7164/how-do-i-set-up-ssl-forwarding-with-new-self-signed-certificates-and-authentication.html
↧
How to troubleshoot "Splunkd daemon is not responding...the handshake operation timed out" errors in Splunk 6.0?
Hi All,
Since about 2 months ago, our **Splunk 6.0** deployment started encountering these errors out of nowhere on a frequent basis. It is causing us much distress because a reboot is always needed to get it back up again.
Did some searching and didn't find anything that could be related. We are slowly un-deploying all our apps to see if one of them is causing this issue. If all else fails, we will probably be looking at a re-installation (and upgrade).
If someone understands what this error is trying to tell us, please kindly point us in the right direction. It will be greatly appreciated!
Thank you!
Samuel
Errors:
**11-07-2015** 23:16:05.434 +0800 ERROR AdminManager - Stack trace from python handler:\nTraceback (most recent call last):\n File "/opt/splunk/lib/python2.7/site-packages/splunk/admin.py", line 70, in init\n hand.execute(info)\n File "/opt/splunk/lib/python2.7/site-packages/splunk/admin.py", line 527, in execute\n if self.requestedAction == ACTION_LIST: self.handleList(confInfo)\n File "/opt/splunk/etc/system/bin/DataModelAccelerationHandler.py", line 20, in handleList\n sc_rest.BaseRestHandler.handleList(self, confInfo)\n File "/opt/splunk/etc/system/bin/sc_rest.py", line 74, in handleList\n ent = self.all()\n File "/opt/splunk/etc/system/bin/sc_rest.py", line 221, in all\n offset=self.posOffset)\n File "/opt/splunk/lib/python2.7/site-packages/splunk/entity.py", line 129, in getEntities\n atomFeed = _getEntitiesAtomFeed(entityPath, namespace, owner, search, count, offset, sort_key, sort_dir, sessionKey, uri, hostPath, **kwargs)\n File "/opt/splunk/lib/python2.7/site-packages/splunk/entity.py", line 222, in _getEntitiesAtomFeed\n serverResponse, serverContent = rest.simpleRequest(uri, getargs=kwargs, sessionKey=sessionKey, raiseAllErrors=True)\n File "/opt/splunk/lib/python2.7/site-packages/splunk/rest/__init__.py", line 469, in simpleRequest\n raise splunk.SplunkdConnectionException, 'Error connecting to %s: %s' % (path, str(e))\nSplunkdConnectionException: Splunkd daemon is not responding: ('Error connecting to /servicesNS/-/-/data/models: _ssl.c:506: The handshake operation timed out',)\n
**11-07-2015** 23:16:05.434 +0800 ERROR AdminManager - Unexpected error "" from python handler: "Splunkd daemon is not responding: ('Error connecting to /servicesNS/-/-/data/models: _ssl.c:506: The handshake operation timed out',)". See splunkd.log for more details.
**11-07-2015** 23:16:05.434 +0800 ERROR SummarizationHandler - Error listing accelerated data models: Unexpected error "" from python handler: "Splunkd daemon is not responding: ('Error connecting to /servicesNS/-/-/data/models: _ssl.c:506: The handshake operation timed out',)". See splunkd.log for more details.
**11-07-2015** 23:17:06.423 +0800 ERROR AdminManager - Stack trace from python handler:\nTraceback (most recent call last):\n File "/opt/splunk/lib/python2.7/site-packages/splunk/admin.py", line 70, in init\n hand.execute(info)\n File "/opt/splunk/lib/python2.7/site-packages/splunk/admin.py", line 527, in execute\n if self.requestedAction == ACTION_LIST: self.handleList(confInfo)\n File "/opt/splunk/etc/system/bin/DataModelAccelerationHandler.py", line 20, in handleList\n sc_rest.BaseRestHandler.handleList(self, confInfo)\n File "/opt/splunk/etc/system/bin/sc_rest.py", line 74, in handleList\n ent = self.all()\n File "/opt/splunk/etc/system/bin/sc_rest.py", line 221, in all\n offset=self.posOffset)\n File "/opt/splunk/lib/python2.7/site-packages/splunk/entity.py", line 129, in getEntities\n atomFeed = _getEntitiesAtomFeed(entityPath, namespace, owner, search, count, offset, sort_key, sort_dir, sessionKey, uri, hostPath, **kwargs)\n File "/opt/splunk/lib/python2.7/site-packages/splunk/entity.py", line 222, in _getEntitiesAtomFeed\n serverResponse, serverContent = rest.simpleRequest(uri, getargs=kwargs, sessionKey=sessionKey, raiseAllErrors=True)\n File "/opt/splunk/lib/python2.7/site-packages/splunk/rest/__init__.py", line 469, in simpleRequest\n raise splunk.SplunkdConnectionException, 'Error connecting to %s: %s' % (path, str(e))\nSplunkdConnectionException: Splunkd daemon is not responding: ('Error connecting to /servicesNS/-/-/data/models: _ssl.c:506: The handshake operation timed out',)\n
↧
↧
Why are third-party certs getting deleted out of the $SPLUNK_HOME/etc/auth/Certs directory?
Anyone know what would cause all the certs to be deleted out of the `$SPLUNK_HOME/etc/auth/Certs` directory? Must they be put in auth?
↧
Is there a limitation with the ssl version allowed for the Splunk ODBC driver?
I was attempting to get the ODBC driver working in my environment. I set up the instance according to the documentation, although I found the documentation lacking for the certs assigned in server.conf. When I set it up, I could get the web browser to load the address https://server.name:8089 with a secure connection, but I could not get Microsoft Query to connect (Excel).
I would receive the following error: "[40]error with http api, error code couldn't connect to the server"
server.conf settings:
[sslConfig]
enableSplunkdSSL = true
sslKeysfile = ca_key_inter_root.pem
caCertFile = inter_root.pem
caPath = $SPLUNK_HOME/etc/apps/config_https/mycerts/
sslVersions = *, -ssl2, -ssl3
I solved the issue by updating the sslVersions option to allow "ssl3". The connection started working. The problem is, this opens up vulnerabilities that I am not comfortable with. So now onto the question, I am not sure if this is a limitation of the Splunk ODBC driver, Microsoft Query, or Splunk enterprise? Any Help with clarification would be much appreciated.
↧
need help with SSL certificates
Hi ,
littel confused with SSL certificate types
i got an PFX file (wildcard certificate) and i want to insert certificate to Splunkweb
i read here:
http://docs.splunk.com/Documentation/Splunk/6.2.0/Security/SecureSplunkWebusingasignedcertificate
that i need a private.key and a pem certificates
where do i get the private key ?
i know how to convert a pfx file to public key that contain private key also.
↧
Why am I seeing "DistributedPeerManagerHeartbeat - Unable to get server info from peer... due to connection reset" on my cluster master log?
I have seen a few other questions similar to this one, but not exactly, and the solutions do not work.
In my cluster master log, I am seeing the following error repeatedly:
01-08-2016 23:37:42.853 +0000 WARN DistributedPeerManagerHeartbeat - Unable to get server info from peer: http://:8089 due to: Connection reset by peer
On the indexer, I see the following:
08-02-2014 18:11:42.033 -0700 WARN HttpListener - Socket error from ,cmaster ip. while idling: error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request
The indexer is connecting to the master since I can see it in the master's indexer clustering peers and indexes tabs.
This appears to be an SSL issue, but I cannot figure out what. The indexer says it is connecting with http, but I would expect it to connect with https. But where is this set? The indexer is connecting to the master with the following server.conf stanza:
[clustering]
master_uri = https://:8089
mode = slave
pass4SymmKey =
I verified that all passwords are correct.
↧
↧
Connection problems with Universal Forwarder for Linux ARM and Splunk Cloud (SSL error)
Hi everyone,
I am currently trying to run the Universal Forwarder for Linux ARM on a Raspberry Pi 2 Model B with an arch linux installed. I want to forward the data to Splunk Cloud, however, I'm having connection problems. Does the Universal Forwarder for Linux ARM work with splunk cloud?
Here is what is installed:
[root@raspi splunk]# cat /proc/version
Linux version 3.18.8-1-ARCH (builduser@leming) (gcc version 4.9.2 20141224 (prerelease) (GCC) ) #1 SMP PREEMPT Fri Feb 27 19:37:26 MST 2015
My splunkd.log contains the following (many lines with the same):
[root@raspi splunk]# tail splunkd.log
01-14-2016 12:35:04.697 +0000 ERROR TcpOutputFd - Connection to host=xxx.xxx.xxx.xxx:9997 failed. sock_error = 104. SSL Error = error:00000000:lib(0):func(0):reason(0)
01-14-2016 12:35:04.706 +0000 ERROR TcpOutputFd - Read error. Connection reset by peer
The universal forwarder credentials splunkclouduf.spl are installed. For testing I am monitoring the directory /opt/splunkforwarder/var/log/
Compare the output of list monitor:
[root@raspi splunk]# /opt/splunkforwarder/bin/splunk list monitor
Monitored Directories:
$SPLUNK_HOME/var/log/splunk/splunkd.log
/opt/splunkforwarder/var/log/splunk/audit.log
/opt/splunkforwarder/var/log/splunk/btool.log
...
$SPLUNK_HOME/var/spool/splunk/...stash_new
Monitored Files:
$SPLUNK_HOME/etc/splunk.version
I am also running the Splunk Universal Forwarder Version 6.3.2 on a "normal" Linux (Debian) machine. There it works without problems.
Any help is appreciated! Let me know if you need any more output...
↧
Why am I getting heavy forwarder error "TcpInputConfig - SSL server certificate not found, or password is wrong..."?
I need to send data from a security appliance to a Splunk Heavy Forwarder on a listening port using TCP-TLS. Getting the errors below everytime in opt/splunk/var/log/splunk/splunkd.log that Splunk is started.
ERROR SSLCommon - Can't read key file /opt/splunk/etc/certs/cert.pem errno=151441516 error:0906D06C:PEM routines:PEM_read_bio:no start line.
ERROR TcpInputConfig - SSL server certificate not found, or password is wrong - SSL ports will not be opened
ERROR TcpInputConfig - SSL context not found. Will not open raw (SSL) IPv4 port 17814
Here are the steps I followed:
1. Generated CSR file on my Heavy Forwarder and sent to my certificate provider to have it signed.
2. Received *.cer back from my certificate provider.
3. Ran following command to convert `*.cer` into `*.pem`: `openssl x509 -inform pem -in certificate.cer -outform der -out certificate.pem`
4. Copied cert.pem & InternalRootCA.pem to /opt/splunk/etc/certs
5. Here is my inputs.conf
[SSL]
rootCA = $SPLUNK_HOME/etc/certs/InternalRootCA.pem
serverCert = $SPLUNK_HOME/etc/certs/cert.pem
password = ***************
requireClientCert = false
[tcp-ssl://17814]
sourcetype = syslog
index = **
Restart Splunk & I get errors:
ERROR SSLCommon - Can't read key file /opt/splunk/etc/certs/cert.pem errno=151441516 error:0906D06C:PEM routines:PEM_read_bio:no start line.
ERROR TcpInputConfig - SSL server certificate not found, or password is wrong - SSL ports will not be opened
ERROR TcpInputConfig - SSL context not found. Will not open raw (SSL) IPv4 port 17814
The cert folder only includes the two files
InternalRootCA.pem
cert.pem
↧
Why are syslog events sent over TCP-SSL not human readable, but works fine without SSL?
Trying to get syslog sent using SSL. Port 1468 without SSL is working fine. Port 6514 is receiving syslog events, but not human readable.
[tcp://1468]
connection_host = dns
sourcetype = syslog
[tcp-ssl://6514]
connection_host = dns
sourcetype = syslog
Event data from port 1468:
1/21/16
8:44:00.000 AM
<134>1 2016-01-21T16:44:00.000Z dogfood.xxxxxx.com LocalityServer - - [meta sequenceId="4773505"][WWANSampleData@11912 LocalityUID="0012f8920cfbdde9bd6e5c2a38c4221e" DiagnosticsUID="0012f8920cfbdde9bd6e5c2a38c4221e" MobilityPID="01D06E337DA628B3005056814A3A006"]
Event data from port 6514:
1/21/16
8:39:29.000 AM
\x00b\x00\x00^V\xA1 \xBD\xB6ޏQ\xED\xBB\xA5!~\xB1̟_1Sõĵ?\xBC\xF6ک('\x00\x00\xC0\xC0\x005\x00/\xC0
↧