All Apps and Add-ons

Why are we unable to access Splunk web GUI via Amazon Web Services (AWS) Elastic Load Balancing (ELB) DNS name?

vicky58
Explorer

We ran into an issue where we are unable to access Splunk web GUI using Amazon Web Services (AWS) Elastic Load Balancing (ELB) DNS name example:- http://ELB:PORT or https://ELB/en-US/account/login.

Details:- Classic Load balancer and Splnk 6.6.3 version

We are able to connect port 8000 when try with http;//IP:8000 but are unable to access GUI via ELB DNS name http://ELB:8000 .

We deployed in VPC, enabled network Security group rules internally between ELB and EC2 instance.

Below are the ELB configurations:-

Ping Target:-   
HTTP:8000/en-US/account/login?return_to=%2Fen-US%2F
Timeout: 10 seconds
Interval: 30 seconds
Un healthy threshold: 2
Healthy threshold: 10

Health check is "Inservice" — currently we are using only 1 Availability zone — Instance is healthy

Listeners:- ELB -HTTP -8000- Instance protocol - HTTP -8000

Able to open GUI using IP - http://IP:8000 , but not able to access via ELB name. Do we need to make any changes to ELB configurations..? Is any one gone through this same issue, Appreciate your help.

-> Also we tested by on enabling the HTTPS on web.conf
enableSplunkWebSSL = true, Able to open GUI on Https://IP:PORT but not Https://ELB:PORT

We are facing this issue even with HTTP Protocol. ELB-> HTTP ->8000 - Instance protocol- HTTP -> 8000 , Looking for recommended ways to configure ELB settings for HTTPS.

vicky58
Explorer

After hours of struggle made few modifications, finally we were able to open GUI using the ELB name on HTTP. But now the issue is with HTTPS protocol. Getting ELB health check failures (instance "Out of service" )over HTTPS protocol

We have enabled splunkwebSSL in local web.conf, and made changes to the ELB settings as below

Target Path:HTTPS:8000/en-US/account/login?return_to=%2Fen-US%2F
Timeout: 10 seconds
Interval: 30 seconds

Only time we are getting health check to work properly is when changing to TCP protocol, TCP:8000 but TCP is not the port we want to use as it only looks for a listening port and not that Splunk is running. As per Splunk previous answers on same issues, we did verified web.conf under /splunk_home/splunk/etc/system/default/web.conf for TLS1.2 version cyperSuite.

it is exist in our splunk web.conf default path :-

ciphers to cipherSuite:

ECDHE-RSA-AES128-SHA

sslVersions = tls1.2
cipherSuite = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
ecdhCurves = prime256v1, secp384r1, secp521r1

we are seeing this issue on Splunk 6.6.3

0 Karma

back2root
Path Finder

Do you have Backend authentication enabled and if so have you configured the right back end server certificate within AWS ELB?

0 Karma

vicky58
Explorer

Nope, we haven't configured backend authentication, just enabled splunk default SSL.
/local/web.conf
[settings]
enableSplunkwebSSL true

Web gui running on https://IP:8000

Using TCP protocol on ELB configurations, ELB Listener TCP - 8000, Instance listener TCP 8000

0 Karma

khoitoy
Observer

hi there, any luck with this?  I'm having the exact same issue

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) v3.54.0

The Splunk Threat Research Team (STRT) recently released Enterprise Security Content Update (ESCU) v3.54.0 and ...

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

New Learning Videos on Topics Most Requested by You! Plus This Month’s New Splunk ...

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...