Getting Data In

How to resolve "ssl23_get_client_hello unknown protocol" error on indexer and "TcpOutputFd Read error" on forwarder?

splunkreal
Influencer

Hello guys,

I'm using this on deployment-apps (universal forwarder deployment) :

[tcpout]
defaultGroup = default-autolb-group

[tcpout:default-autolb-group]
server = indexer:9997

[tcpout-server://indexer:9997]
sslCertPath = $SPLUNK_HOME/etc/apps/APP_OUTPUTS_BASE_PPR/local/server.pem
sslPassword = password
sslRootCAPath = $SPLUNK_HOME/etc/apps/APP_OUTPUTS_BASE_PPR/local/cacert.pem
sslVerifyServerCert = false

I'm 99% sure sslPassword for my cacert.pem is not 'password', so isn't it working for server.pem instead (default splunk cert) ?

If I use the correct cacert pass, I get ssl23_get_client_hello unknown protocol on indexer and TcpOutputFd Read error on forwarder.

Thanks for your clarification.

* If this helps, please upvote or accept solution if it solved *
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi realsplunk,
sorry for this detail:
the steps you have to do are:

  • insert correct password in inputs.conf (verify where is the inputs.conf file where there is sslPassword: $SPLUNK_HOME/etc/system/local) on your indexers;
  • restart indexers, password will be encrypted
  • insert correct password in inputs.conf in your TA (in local directory);
  • restart forwarder, password will be encrypted

If you insert outputs.conf in default directory, password will be encrypted in local directory and not encripted in default directory.
Bye.
Giuseppe

0 Karma

splunkreal
Influencer

So why at http://docs.splunk.com/Documentation/Splunk/6.2.3/Admin/Outputsconf we have :

sslPassword =
The password associated with the CAcert.
The default Splunk CAcert uses the password "password".
There is no default value.*

Thanks a lot!

* If this helps, please upvote or accept solution if it solved *
0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

In cybersecurity, defenders respond to threats. Architects design the systems that stop them.    As ...

Best Practices: Splunk auto adjust pipeline queue

When you enable autoAdjustQueue in Splunk, maxSize should be understood as the queue size Splunk starts with ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...