Splunk Enterprise and Forwarders 9.3.2 on Windows ...

rasmith1

Using "Securing the Splunk platform with TLS" I have converted Microsoft provided certificates to pem format and verified with the "openssl verify -CAfile "CAfile.pem" "Server.pem" " command.

TLS configuration of the web interface using web.conf is successful.

TLS configuration of forwarder to indexer has failed consistently using the indexer server.conf file and the forwarder server.conf file as detailed in the doc. Our deployment is very simple; 1 indexer and a collection of windows forwarders.

Has anyone been able to get TLS working between forwarder - indexer on version 9+ ?

Any tips on splunkd.log entries that may point to the issue(s)?

Thanks for any help. I will be out of office next week but will return Dec 30 and check this. Thanks again.

marnall

Could you log in as the Splunk user on your indexer and then run btool for the stanzas relating the TLS-secured forwarding?

/opt/splunk/bin/splunk btool inputs list SSL
/opt/splunk/bin/splunk btool inputs list splunktcp-ssl
/opt/splunk/bin/splunk btool server list sslConfig

Make sure that the settings are set according to the instructions in the article. If they are the wrong values, then add --debug to the btool commands to find the file which is setting the command.

If there are no problems there, then do you find specific complaints in the splunkd log of the forwarder? E.g. "Invalid certificate", or does the connection time out?

Have you been able to forward logs, even _internal logs, before setting up TLS?

rasmith1

After some more searching I found SEC1936B .conf23 and followed the file configuration instructions.

I have TLS connections now.

Thank you for your time.

Splunk Enterprise and Forwarders 9.3.2 on Windows TLS Configuration

configuration

troubleshooting

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?