Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

After installing a new UF, why is it not forwarding logs to the Indexers?

u2s1e0n2
New Member
‎05-10-2018 10:30 AM 
05-10-2018 15:13:13.954 +0000 ERROR TcpOutputProc - Error initializing SSL context - invalid sslCertPath for server 45.125.XXX.X:9997
05-10-2018 15:13:13.959 +0000 ERROR SSLCommon - Can't read key file /opt/splunkforwarder/etc/auth/server.pem errno=151429224 error:0906A068:PEM routines:PEM_do_header:bad password read.

I just installed a new UF but it's not forwarding logs to the Indexers and the $SPLUNKHOME /var/log/splunk/splunkd.log shows the error message above. The IP in the error message is that of the Indexer: It is connecting to the Deployment Server and getting configs but not sending logs to the Indexers.
I need help understanding what is happening. I have reinstalled the UF but still got the same error messages.

The certs are default Splunk certs

Thanks

0 Karma
Reply

xpac
SplunkTrust
SplunkTrust
‎05-10-2018 03:51 PM

Please check if /opt/splunkforwarder/etc/auth/server.pem exists and can be read by the user Splunk runs at it. Have you modified it, or the password used for it? Does your outputs.conf contain a special sslCertPath settings for your indexers? If yes, check that file too.

0 Karma
Reply
Get Updates on the Splunk Community!

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Help us learn about how Splunk has impacted your career by taking the 2021 Splunk Career Survey. Last year’s ...

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

Observability Newsletter Highlights | March 2023

 March 2023 | Check out the latest and greatestSplunk APM's New Tag Filter ExperienceSplunk APM has updated ...