Hey All 🙂
I've configured tcp-ssl on HF, created certificates and the following configuration.
The HF receive syslog from third-party, I'll send the third party company the CA (combined certificat) I created based on these docs:
1. How to create and sign your own TLS certificates
2. Create a single combined certificate file
inputs.conf
[tcp-ssl://2222]
index = test
sourcetype = st_test
[SSL]
serverCert = C:\Program Files\Splunk\etc\auth\mycerts\myServerCertificate.pem
sslPassword = <Server.key password>
sslRootCAPath = C:\Program Files\Splunk\etc\auth\mycerts\myCertAuthCertificate.pem
Server.conf
[sslconfig]
sslPassword = <password encrypted that I didn't configured>
And yet Splunk isn't listening to the requested port for example 2222
What am I missing?
The error I get in Splunk _internal is:
SSL context not found. Will not open raw (SSL) IPv4 port 2222
Please assist, and Thank YOU!!!
Check logs more "backwards" to see earlier errors. Maybe you mistyped file paths, maybe the password was wrong...
A couple steps to troubleshoot:
- If you remove the SSL, can you get Splunk to startup and listen on that port?
- Are your paths 100% correct - this could be related to a typo in the path/filename.
- Do your certificates have the correct permissions so Spunk can see them?
As a side note, Splunk will auto-encrypt passwords like that in your .conf files. You'll see the following wording for values it does this with in the documentation (e.g. inputs.conf sslPassword documentation)
Upon first use, the input encrypts and rewrites the password