topic Re: Can't get event in Splunk Search

Can't get event

khalidewaidah — Tue, 29 Sep 2020 15:00:38 GMT

Dear ,
I installed universal Forward on windows server 2003 & I the installation was successfully but the event & path that put in inpit.conf not working & sending logs to splunk I tried to check if there is any permission issue by using this SPL (index=_internal "Machine Name" "Path" ) nothing appear . Also I fond below error when I run this SPL (index=_internal "10.160.0.5" ssl) maybe this is the reason .

07-24-2017 09:19:42.753 +0300 ERROR TcpInputProc - Error encountered for connection from src=10.160.0.5:3373. error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired

I'm looking forward your help please

Re: Can't get event

gcusello — Mon, 24 Jul 2017 06:36:44 GMT

Hi khalidewaidah,
two questions:
did you used SSL for connections to Indexers?
if this is your situation, you have to modify your outputs.conf inserting SSL

sslCertPath = $SPLUNK_HOME/etc/auth/server.pem
sslPassword = password
sslRootCAPath = $SPLUNK_HOME/etc/auth/cacert.pem
sslVerifyServerCert = false

what version of Splunk Forwarder you used?
last certified version on Windows 2003 is 6.3.10 and I remeber that there was a problem on certificates for pre 6.3 versions, probably there's the same problem; I suggest to ask it to the Splunk Support support@splunk.com.

Anyway, you can create new SSL certs using the $SPLUNK_HOME/bin/splunk createssl command. Run $SPLUNK_HOME/bin/splunk help createssl for the parameters, and make sure you back up your old certificates first.

Bye.
Giuseppe

Re: Can't get event

khalidewaidah — Mon, 24 Jul 2017 08:48:46 GMT

The splunk version installed is 6.1.7 can I upgrade it to 6.3.10 directory .

Re: Can't get event

gcusello — Mon, 24 Jul 2017 08:59:10 GMT

Splunk Support last year sent an issue about this problem and the procedure to update Forwarders expired Certificate.
https://answers.splunk.com/answers/395886/for-splunk-enterprise-splunk-light-and-hunk-pre-63.html?elqTrackId=4f5861c90f7f4a75b297cee5d33506ec&elq=60410c33f42c43668e31f080db08fc87&elqaid=7582&elqat=1&elqCampaignId=

Bye.
Giuseppe

Re: Can't get event

khalidewaidah — Mon, 24 Jul 2017 09:00:11 GMT

Also I used SSL on indexer already

Re: Can't get event

gcusello — Mon, 24 Jul 2017 09:26:40 GMT

SSL can be used to access to Splunk Web and to send logs from Forwarders to Indexers.
To have the second issue you must have on your Indexers, in $SPLUNK_HOME/etc/system/local/inputs.conf the following lines (see http://docs.splunk.com/Documentation/Splunk/6.6.2/Security/AboutsecuringyourSplunkconfigurationwithSSL 😞

[SSL]
password = XXXXXXXXXXXXX
rootCA = /opt/splunk/etc/auth/cacert.pem
serverCert = /opt/splunk/etc/auth/server.pem

Bye.
Giuseppe

Re: Can't get event

khalidewaidah — Tue, 29 Sep 2020 15:00:44 GMT

Hi ,
Below all config i did .

1- On indexers below setting put it

[splunktcp-ssl:9997]
disabled = 0

[SSL]
password = $1$hRTZVBQRSqRp
rootCA = $SPLUNK_HOME/etc/auth/cacert.pem
serverCert = $SPLUNK_HOME/etc/auth/server.pem

2- On Forward below setting put it

Configure Outputs on Universal Forwarders in KW

[tcpout]
defaultGroup = kw_indexer_new
useACK = true
forceTimebasedAutoLB = true

[tcpout:kw_indexer_new]
server = ksplkprdaio.alrajhi.bank:9997
autoLB = true
sslVerifyServerCert = false
sslPassword = password
sslCertPath = $SPLUNK_HOME/etc/auth/server.pem
sslRootCAPath = $SPLUNK_HOME/etc/auth/ca.pem
useClientSSLCompression = true

3- Below input.conf push to universal forward .

[monitor://D:\FTP\BlueCoatLogs*.log.gz]
disabled = 0
host = kwproxysg1

blacklist = .(gz|tgz|bz2|z|zip)$

index = bcoat
sourcetype = bluecoat:proxysg:access:file

I did all above things but still the problem still exists .