Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: system sslPassword not hashing
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My universal fowarders are not hashing the sslPassword file stored at the etc/system location after restart. Instead, the hash is being created in a new outputs.conf in the SplunkUniversalForwarder local folder but still leaving the unhashed value in the etc/system/local/outputs.conf. I specifically moved the ssl config to etc/system because of the limitation of apps being unable to hash the sslPassword attribute.
Please help me make sure my sslPassword is hashed?
Config highlights:
This is the file after a restart:
/opt/splunkforwarder/etc/system/local/outputs.conf
[tcpout]
defaultGroup = splunk
sslCertPath = $SPLUNK_HOME/etc/auth/server.pem
sslPassword = password
sslRootCAPath = $SPLUNK_HOME/etc/auth/cacert.pem
(pulled from deployment server)
/opt/splunkforwarder/etc/apps/forwardingPropsToProdSplunk/default
[tcpout:splunk]
server = <hostname>:<port> #Replaced for posting in this forum
forwardedindex.0.whitelist = _internal
This is what is generated:
/opt/splunkforwarder/etc/apps/SplunkUniversalForwarder/local/outputs.conf
[tcpout]
dnsResolutionInterval = 300
sslPassword = $1$wlv2PW4J2Hah
useClientSSLCompression = true
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It turns out that the sslPassword can only be hashed when it is in an outputs.conf in a local folder.
Support believes that the following two statements in the outputs.conf documentation are incorrect (but they are looking into it to be sure):
- Starting with 4.2, the [tcpout] stanza is no longer required.
- Starting with 4.2, this attribute is no longer required.
I was able to put the sslPassword in the outputs file in the local folder of an app that I use to specify the indexer and ssl configuration and the sslPassword autohash on the forwarders side when the forwarder restarted.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It turns out that the sslPassword can only be hashed when it is in an outputs.conf in a local folder.
Support believes that the following two statements in the outputs.conf documentation are incorrect (but they are looking into it to be sure):
- Starting with 4.2, the [tcpout] stanza is no longer required.
- Starting with 4.2, this attribute is no longer required.
I was able to put the sslPassword in the outputs file in the local folder of an app that I use to specify the indexer and ssl configuration and the sslPassword autohash on the forwarders side when the forwarder restarted.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am using a deployment server. I merely showed the resulting forwarder. Ideally I would be able to use the DS to push the cert info but the result is that the deployed app will not have a hashed password value after restart. I do understand config file precedence in the sense that I undersand the more specific wins over the more general (app vs system).
Does that help clarify? Sorry if my prior post was unclear. Thanks for your help on this.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am sorry I confused as to why you are not using deployment server to deploy an app with all those settings. Also do you under stand config file precedence? I am currently doing what you want I'd be happy to detail its lay out. I also think I know why your password is not hashing correctly.
[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events
Enter the Agentic Era with Splunk AI Assistant for SPL 1.4
Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...
