I've been trying to install an older version of the Splunk Forward on a Server 2016 R2 box with no luck. I'm pretty sure I have what is needed in the inputs.conf, outputs.conf, the server.pem file, and the cacert.pem file. Is there anything else I could be missing? I even restarted the splunk service and it's still not popping up. Not familiar with reading the Splunkd logs to see what could have gone wrong.
This may help you setting up certificate to work: https://answers.splunk.com/answers/7164/how-do-i-set-up-ssl-forwarding-with-new-self-signed-certific...
This may help you setting up certificate to work: https://answers.splunk.com/answers/7164/how-do-i-set-up-ssl-forwarding-with-new-self-signed-certific...
It looks like I forgot the deploymentclient piece and a few other things as well. I have the box now showing in Splunk I'm just trying to ship logs to it now and that doesn't seem to be working now! Oh what a process! I'll open a new thread for that.
Do you see any success connection messages on splunkd.log on the forwarder?
I see this 04-20-2017 14:57:04.650 -0400 INFO DS_DC_Common - Deployment Server|Client initialized successfully.
To be honest this is my first time looking at a splunkd log - would it just be listed as success connection in there?
Try to look for
TcpOutputProc - Cooked connection to ip=x.x.x.x
I actually found some things on our main splunk server which is likely why this isn't working:
04-21-2017 10:42:23.281 -0400 WARN SSLCommon - Received fatal SSL3 alert. ssl_state='SSLv3 read client key exchange A', alert_description='certificate expired'.
04-21-2017 10:42:23.281 -0400 ERROR TcpInputProc - Error encountered for connection from src=172.16.X.X:56238. error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired
*I put the X.X in
Do you know which cert this is referring to?
It should be using the cert you specified on outputs.conf
2016 is still on R1, and is currently unsupported.
Also, what version are you trying to install?
Sorry I meant to say Windows Server 2016 Server Core - still unsupported? I think the install went through it's just that it's not popping up. I was doing this as a test. We will be upgrading our forwarders that are currently at 6.4.1 and I wanted to test Ansible plays. Do you suggest maybe I try spinning up another Windows Server that isn't 2016? Thanks!
My 6.5.2 install on my 2016 server with GUI works pretty well, but I'm only collecting basic Windows TA information at the moment.
6.5.4 will add support for 2016 server in late May.