Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Splunk Enterprise and Forwarders 9.3.2 on Windows TLS Configuration

rasmith1
Engager
‎12-20-2024 11:46 AM

Using "Securing the Splunk platform with TLS" I have converted Microsoft provided certificates to pem format and verified with the "openssl verify -CAfile "CAfile.pem" "Server.pem" "  command.

TLS configuration of the web interface using web.conf is successful.

TLS configuration of forwarder to indexer has failed consistently using the indexer server.conf file and the forwarder server.conf file as detailed in the doc. Our deployment is very simple; 1 indexer and a collection of windows forwarders.

Has anyone been able to get TLS working between forwarder - indexer on version 9+ ?

Any tips on splunkd.log entries that may point to the issue(s)?

 

Thanks for any help. I will be out of office next week but will return Dec 30 and check this. Thanks again.

 

Labels (2)
0 Karma
Reply

marnall
Motivator
‎12-22-2024 06:36 AM

Could you log in as the Splunk user on your indexer and then run btool for the stanzas relating the TLS-secured forwarding?

/opt/splunk/bin/splunk btool inputs list SSL
/opt/splunk/bin/splunk btool inputs list splunktcp-ssl
/opt/splunk/bin/splunk btool server list sslConfig

Make sure that the settings are set according to the instructions in the article. If they are the wrong values, then add --debug to the btool commands to find the file which is setting the command.

If there are no problems there, then do you find specific complaints in the splunkd log of the forwarder? E.g. "Invalid certificate", or does the connection time out?

Have you been able to forward logs, even _internal logs, before setting up TLS?

Reply

rasmith1
Engager
‎12-30-2024 01:48 PM

After some more searching I found SEC1936B .conf23 and followed the file configuration instructions.

I have TLS connections now.

Thank you for your time.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...