We are trying to use Splunk stream on a webserver with IIS, using https based site.
Web server is listening on port 8443. DiffieHelman is disabled on that IIS server.
We ran the following:
HTTP src_port 8443 OR dest_port 8443
TCP src_port 8443 OR dest_port 8443
As a results we do not get HTTP events, just TCP events with unreadable content.
We also see in streamfwd.log the following:
stream.SSL - SSL decryption error (cannot decrypt ephemeral session)
stream.packetProcessor - SSL record decryption error (corrupted data?) (ssl) [c=10.0.0.1:45674,s=10.0.0.2:8443]
To investiage and eliminiate networking and promiscous mode issues. we used the openssl guide to simulate the same scenario without IIS:
Using openssl as a webserver on the same UF, Stream was able to successfuly decrypt the data.
We received both TCP and HTTP events.
Any idea what could be the issue?