Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Why am I unable to use token authentication on a universal forwarder

mvidal31
Engager
‎06-08-2016 07:37 AM

Hello the Splunk community

I'm trying to use the token authentication between an indexer and a universal forwarder. All seems to be good on my indexer, but the UF doesn't seem to understand the configuration.
This is my configuration in /local/outputs.conf:

[tcpout]
defaultGroup = index

[tcpout:index]
server= aaa.bbb.ccc.ddd:ppp
token = 8-4-4-4-12

When I restart the Splunk daemon, the token stays in clear in the configuration file and on the indexer, I have this log: "token not sent by forwarder!"

If I specify that without the token, the UF works very well.

Does somebody know where I'm wrong?

Bonus question: Does anyone know how the token is created (urand, ...)?

thank you a lot!

0 Karma
Reply

rdimri_splunk
Splunk Employee
Splunk Employee
‎09-21-2016 03:59 PM

Hey mvidal,
Could you double check that the token that you have put in outputs.conf is indeed a valid one. That is, it has the same value which you got when you generated on indexer.
Some key points to keep in mind.
1) Not all strings are valid tokens, they are GUID's. If it is not a valid token it will not be sent from the forwarder to indexer.
2) Your token stays in plain text because string '8-4-4-4-12' is not a valid guid, since it is not a valid token we dont even look at it from the perpective of using it or encrypting it.

Technically you should not have to care about how tokens are generated by indexer. You should treat them as opaque objects from your side.

0 Karma
Reply

ddrillic
Ultra Champion
‎06-12-2016 01:12 PM

The generation of the token and this particular error message are described at Control forwarder access

The documentation about the error message at the bottom of the page -

alt text -

Preview file
53 KB
0 Karma
Reply

mvidal31
Engager
‎06-13-2016 04:44 AM

Thank you for your response.

I've already checked all the documentation on this subject. I try to understand:

  • What are the real mechanisms used behind the command? When I ask to generate a token, how does it choose the token?

  • The UF don't send the token, it's right. But why?

I hope I'm more precise.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...