Installation
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Any concerns when upgrading from Splunk version 6.5 to 7.1 (Win2008R2)?

qufe
Explorer
‎07-17-2018 12:43 AM

Hello !

We have installed Splunk 6.5.1 on a Windows 2008 R2 two years ago. We'd like to upgrade it to 7.1.
According to the well-furnished documentation, we can upgrade without intermediate version.
However, being on a Windows 2008 R2 will be problematic as the cipher suites won't be supported (according to Splunk/7.1.2/Installation/AboutupgradingREADTHISFIRST).

As far as I've understood, Splunk/7.1.2/Security/AboutTLSencryptionandciphersuites implies that I should change the files alert_actions.conf and ldap.conf as they are the only ones where Windows 2008 is quoted.
First of all, have I understood this properly ?

Then, I've searched those files on our Splunk and there are a lot of them. I don't know which one (or ones) I should modify.
Can you please tell me which files I should change with those SSL parameters ?

And finally, is there specific points I should be aware of when upgrading ? Documentation seems pretty clear about that but I always prefer to hear that from experimented people.

Please forgive me for my lack of skill on this product and my not-so-fluant english.
Thank you in advance for your help.

Best regards,

Quentin

Labels (2)
Labels
Reply
1 Solution
Solved! Jump to solution
Solution

qufe
Explorer
‎07-17-2018 07:50 AM

Hello,

Thank you for your answer.

That's indeed what I found in the documentation for the Windows 2008 part. But in the same page, there were mentions of alert_actions.conf and ldap.conf for the 2008 compatibility.
And to be honest, I don't know what to do with this. Is it mandatory to modify alert_actions.conf and ldap.conf ? Or is it needed only in certain cases ?
The part you mentioned is indeed needed.

Best regards,

Quentin

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

qufe
Explorer
‎07-17-2018 07:50 AM

Hello,

Thank you for your answer.

That's indeed what I found in the documentation for the Windows 2008 part. But in the same page, there were mentions of alert_actions.conf and ldap.conf for the 2008 compatibility.
And to be honest, I don't know what to do with this. Is it mandatory to modify alert_actions.conf and ldap.conf ? Or is it needed only in certain cases ?
The part you mentioned is indeed needed.

Best regards,

Quentin

0 Karma
Reply
Solved! Jump to solution

jcrabb_splunk
Splunk Employee
Splunk Employee
‎07-17-2018 09:05 AM

Any of the configuration files listed on that page are the "default" settings. Those are the settings provided out of the box. If you have made changes to those previously, in order to utilize the default TLS cipher suites, you would need to revert those changes.

Just a brief additional comment, as folks have migrated to 6.6 or later, legacy Splunk instances have had problems connecting to the upgraded instances because of the new default TLS/SSL settings. I would refer you to these known issues:

Known Issues:

Review these items:

  • SPL-141964
  • SPL-141961
  • SPL-139019
  • SPL-138647
Jacob
Sr. Technical Support Engineer
0 Karma
Reply
Solved! Jump to solution

qufe
Explorer
‎07-17-2018 11:28 PM

Hello,

Thanks for your reply.

I didn't modify any default file (even in the local folder as far as I know).
So if I've understood your reply, those files will updated themselves with the upgrade (as they have a version number) and I won't have to modify anything here.
The only thing I'll have to do is to modify several things on the Windows as you stated before.

Is this correct ?

0 Karma
Reply
Solved! Jump to solution

jcrabb_splunk
Splunk Employee
Splunk Employee
‎07-18-2018 05:29 AM

That is correct.

Jacob
Sr. Technical Support Engineer
0 Karma
Reply
Solved! Jump to solution

jcrabb_splunk
Splunk Employee
Splunk Employee
‎07-17-2018 07:42 AM

Based on the documentation, it is stating that in order to support the TLS/SSL Cipher suites introduced in 6.6 +, you will need to edit the Windows Registry:

About Upgrading

The Transport Layer Security (TLS) and Secure Sockets Layer (SSL) cipher suites in version 7.1 are not supported on Windows Server 2008 R2 (Originally introduced in version 6.6). The TLS and SSL cipher suites that come with version 7.0 of Splunk Enterprise do not support Windows Server 2008 R2 by default. If you upgrade, and you used SSL and TLS to handle forwarder-to-indexer communication or alert actions, those actions will not work until you make updates to both Windows and Splunk Enterprise configurations.

To add TLS 1.2 Support

To enable TLS 1.2 support on Windows Server 2008 R2:

  1. Add key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server

  1. In the TLS 1.2\Server key, create the following:

DWORD (32-bit) Value – DisabledByDefault; set to 0

DWORD (32-bit) Value – Enabled; set to 1

Jacob
Sr. Technical Support Engineer
Reply
Get Updates on the Splunk Community!

Announcing the Expansion of the Splunk Academic Alliance Program

The Splunk Community is more than just an online forum — it’s a network of passionate users, administrators, ...

Learn Splunk Insider Insights, Do More With Gen AI, & Find 20+ New Use Cases You Can ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Buttercup Games: Further Dashboarding Techniques (Part 7)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top