Splunk 10: Journald input not working with debian ...

Beerman · ‎09-26-2025

After upgrading to Debian 13 Journald input is not working anymore with Splunk 10.x.

This error I found in the internal logs:

ERROR ExecProcessor [3095663 ExecProcessor] - message from "/opt/splunk/bin/splunkd journald-modinput '$@'" journalctl: /opt/splunk/lib/libcrypto.so.3: version `OPENSSL_3.4.0' not found (required by /usr/lib/x86_64-linux-gnu/systemd/libsystemd-shared-257.so)

(With Debian 12 Journald input is working. And with Splunk 9.4.x Journald input is working with Debian 13)

PickleRick · ‎04-07-2026

It seems there are some issues with libssl compatibility. See for example https://splunk.my.site.com/customer/s/article/OPENSSL-3-4-0-not-found-warning-message-after-splunk-e...

Hopefully they will be resolved soon. You might want to raise a support case with your specific issue details.

eplacido · ‎12-02-2025

Getting the same issue with AlmaLinux 9.7...

Tried this:

sudo mv /opt/splunk/lib/libcrypto.so.3 /opt/splunk/lib/libcrypto.so.3.bak
sudo ln -s /usr/lib64/libcrypto.so.3 /opt/splunk/lib/libcrypto.so.3

but then I get this instead:

Traceback (most recent call last):
  File "/opt/splunk/lib/python3.9/site-packages/splunk/clilib/cli.py", line 25, in <module>
    import splunk.clilib.control_api as ca
  File "/opt/splunk/lib/python3.9/site-packages/splunk/clilib/control_api.py", line 5, in <module>
    import splunk.clilib._internal as _internal
  File "/opt/splunk/lib/python3.9/site-packages/splunk/clilib/_internal.py", line 7, in <module>
    from splunk.clilib import manage_search
  File "/opt/splunk/lib/python3.9/site-packages/splunk/clilib/manage_search.py", line 16, in <module>
    from splunk.clilib import bundle_paths
  File "/opt/splunk/lib/python3.9/site-packages/splunk/clilib/bundle_paths.py", line 24, in <module>
    import ssl
  File "/opt/splunk/lib/python3.9/ssl.py", line 99, in <module>
    import _ssl             # if we can't import it, let the error propagate
ImportError: /opt/splunk/lib/python3.9/lib-dynload/_ssl.cpython-39-x86_64-linux-gnu.openssl3.so: undefined symbol: RAND_egd, version OPENSSL_3.0.0

tsteiner38 · ‎04-02-2026

You missed libssl.so. My solution is

chmod 0000 /opt/splunkforwarder/lib/libcrypto.so* /opt/splunkforwarder/lib/libssl.so*

danielbb · ‎09-26-2025

As @livehybrid said, Debian 13 isn’t listed as a supported OS for Splunk Enterprise 10.0, so this incompatibility with newer OpenSSL versions could be the cause of the issue.

It’s recommended to raise a support request at https://splunk.com/support so Splunk can address it in a future minor release.

If this helps, some karma would be appreciated!

livehybrid · ‎09-26-2025

Hi @Beerman

Debian 13 isnt listed as a supported OS for Splunk Enterprise at https://help.splunk.com/en/splunk-enterprise/get-started/install-and-upgrade/10.0/plan-your-splunk-e... so it could be that there is some incompatibility here with newer versions of OpenSSL.

Despite it not being referenced as a supported OS it might be worth raising a support request/case at https://splunk.com/support so that it could potentially be addressed for a future minor release.

🌟 Did this answer help you? If so, please consider:

Adding karma to show it was useful

Marking it as the solution if it resolved your issue

Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing.

Splunk 10: Journald input not working with debian 13 (trixie)

heavy forwarder

modular input

universal forwarder

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation