Hi fellow splunkers,
I recently noticed a configuration error. I wrongly distributed the "[SSL] password= "via cluster-bundle to the indexers.
The problem as you might know is that the password gets not encrypted when it's on the indexers. And there is an even bigger problem to this, about duplicated apps.
I now tried to correct this fault, by deleting the "password = " entry in the .../etc/masterapps/cluster/local/ on the master and distributed these settings to the indexer-cluster.
Then I went onto every indexer manually and added the [SSL] Stanza and "password= " entry to the .../etc/system/local/inputs.conf. After that I restarted splunkd on all of them.
Sadly this didn't encrypt the password. What could be wrong?
Thank you for your suggestions!
It only encrypts the password in inputs.conf & outputs.conf if its found in a splunktcp-ssl stanza.
the indexer is encrypting this inside it's /opt/splunk/etc/apps/directory as a copy of the app, it doesn't write it to the bundle directory found in slave-apps