This is a new Splunk deployment using a single instance to serve as Indexer, Search Head, and Deployment Server. We used certificates signed by our internal CA to configure SSL data forwarding, however, I am not seeing any of the expected Windows logs being forwarded to the Indexer. Looking at the splunkd log on the Indexer, it returns the error, "Socket error from FORWARDER while idling: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown" I tried to diagnose using btool, but I'm not sure what I'm looking for.
Turns out that a default input file was being generated during the UF installation that was screwing up my actual inputs for data collection. Once I deleted that file things began working appropriately, albeit with the default certificates.
Turns out that a default input file was being generated during the UF installation that was screwing up my actual inputs for data collection. Once I deleted that file things began working appropriately, albeit with the default certificates.
Have you check the connection between the forwarder and indexer?
you can run openssl command in splunk/bin to test the certificates if it can get through to the indexer.
Check the metrics.log too.
I've verified that the ports are open between the forwarder & indexer. When I tested the SSL certificate it just returned that a self-signed certificate was in the chain, I don't think it was an error per se.
I was finally able to see some traffic within the metrics log, but only after I reverted back to the original default SSL certificates. The problem is, 1) the default SSL certificates are not secure and 2) I'm still not see any data forwarded from other inputs that I've deployed via Splunk_TA_windows.