Dear ,
I installed universal Forward on windows server 2003 & I the installation was successfully but the event & path that put in inpit.conf not working & sending logs to splunk I tried to check if there is any permission issue by using this SPL (index=_internal "Machine Name" "Path" ) nothing appear . Also I fond below error when I run this SPL (index=_internal "10.160.0.5" ssl) maybe this is the reason .
07-24-2017 09:19:42.753 +0300 ERROR TcpInputProc - Error encountered for connection from src=10.160.0.5:3373. error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired
I'm looking forward your help please
Also I used SSL on indexer already
Hi khalidewaidah,
two questions:
did you used SSL for connections to Indexers?
if this is your situation, you have to modify your outputs.conf inserting SSL
sslCertPath = $SPLUNK_HOME/etc/auth/server.pem
sslPassword = password
sslRootCAPath = $SPLUNK_HOME/etc/auth/cacert.pem
sslVerifyServerCert = false
what version of Splunk Forwarder you used?
last certified version on Windows 2003 is 6.3.10 and I remeber that there was a problem on certificates for pre 6.3 versions, probably there's the same problem; I suggest to ask it to the Splunk Support support@splunk.com.
Anyway, you can create new SSL certs using the $SPLUNK_HOME/bin/splunk createssl
command. Run $SPLUNK_HOME/bin/splunk help createssl
for the parameters, and make sure you back up your old certificates first.
Bye.
Giuseppe
The splunk version installed is 6.1.7 can I upgrade it to 6.3.10 directory .
Splunk Support last year sent an issue about this problem and the procedure to update Forwarders expired Certificate.
https://answers.splunk.com/answers/395886/for-splunk-enterprise-splunk-light-and-hunk-pre-63.html?el...
Bye.
Giuseppe
SSL can be used to access to Splunk Web and to send logs from Forwarders to Indexers.
To have the second issue you must have on your Indexers, in $SPLUNK_HOME/etc/system/local/inputs.conf the following lines (see http://docs.splunk.com/Documentation/Splunk/6.6.2/Security/AboutsecuringyourSplunkconfigurationwithS... 😞
[SSL]
password = XXXXXXXXXXXXX
rootCA = /opt/splunk/etc/auth/cacert.pem
serverCert = /opt/splunk/etc/auth/server.pem
Bye.
Giuseppe
Hi ,
Below all config i did .
1- On indexers below setting put it
[splunktcp-ssl:9997]
disabled = 0
[SSL]
password = $1$hRTZVBQRSqRp
rootCA = $SPLUNK_HOME/etc/auth/cacert.pem
serverCert = $SPLUNK_HOME/etc/auth/server.pem
2- On Forward below setting put it
[tcpout]
defaultGroup = kw_indexer_new
useACK = true
forceTimebasedAutoLB = true
[tcpout:kw_indexer_new]
server = ksplkprdaio.alrajhi.bank:9997
autoLB = true
sslVerifyServerCert = false
sslPassword = password
sslCertPath = $SPLUNK_HOME/etc/auth/server.pem
sslRootCAPath = $SPLUNK_HOME/etc/auth/ca.pem
useClientSSLCompression = true
3- Below input.conf push to universal forward .
[monitor://D:\FTP\BlueCoatLogs*.log.gz]
disabled = 0
host = kwproxysg1
index = bcoat
sourcetype = bluecoat:proxysg:access:file
I did all above things but still the problem still exists .