Installation

Any concerns when upgrading from Splunk version 6.5 to 7.1 (Win2008R2)?

qufe
Explorer

Hello !

We have installed Splunk 6.5.1 on a Windows 2008 R2 two years ago. We'd like to upgrade it to 7.1.
According to the well-furnished documentation, we can upgrade without intermediate version.
However, being on a Windows 2008 R2 will be problematic as the cipher suites won't be supported (according to Splunk/7.1.2/Installation/AboutupgradingREADTHISFIRST).

As far as I've understood, Splunk/7.1.2/Security/AboutTLSencryptionandciphersuites implies that I should change the files alert_actions.conf and ldap.conf as they are the only ones where Windows 2008 is quoted.
First of all, have I understood this properly ?

Then, I've searched those files on our Splunk and there are a lot of them. I don't know which one (or ones) I should modify.
Can you please tell me which files I should change with those SSL parameters ?

And finally, is there specific points I should be aware of when upgrading ? Documentation seems pretty clear about that but I always prefer to hear that from experimented people.

Please forgive me for my lack of skill on this product and my not-so-fluant english.
Thank you in advance for your help.

Best regards,

Quentin

Labels (2)
1 Solution

qufe
Explorer

Hello,

Thank you for your answer.

That's indeed what I found in the documentation for the Windows 2008 part. But in the same page, there were mentions of alert_actions.conf and ldap.conf for the 2008 compatibility.
And to be honest, I don't know what to do with this. Is it mandatory to modify alert_actions.conf and ldap.conf ? Or is it needed only in certain cases ?
The part you mentioned is indeed needed.

Best regards,

Quentin

View solution in original post

0 Karma

qufe
Explorer

Hello,

Thank you for your answer.

That's indeed what I found in the documentation for the Windows 2008 part. But in the same page, there were mentions of alert_actions.conf and ldap.conf for the 2008 compatibility.
And to be honest, I don't know what to do with this. Is it mandatory to modify alert_actions.conf and ldap.conf ? Or is it needed only in certain cases ?
The part you mentioned is indeed needed.

Best regards,

Quentin

0 Karma

jcrabb_splunk
Splunk Employee
Splunk Employee

Any of the configuration files listed on that page are the "default" settings. Those are the settings provided out of the box. If you have made changes to those previously, in order to utilize the default TLS cipher suites, you would need to revert those changes.

Just a brief additional comment, as folks have migrated to 6.6 or later, legacy Splunk instances have had problems connecting to the upgraded instances because of the new default TLS/SSL settings. I would refer you to these known issues:

Known Issues:

Review these items:

  • SPL-141964
  • SPL-141961
  • SPL-139019
  • SPL-138647
Jacob
Sr. Technical Support Engineer
0 Karma

qufe
Explorer

Hello,

Thanks for your reply.

I didn't modify any default file (even in the local folder as far as I know).
So if I've understood your reply, those files will updated themselves with the upgrade (as they have a version number) and I won't have to modify anything here.
The only thing I'll have to do is to modify several things on the Windows as you stated before.

Is this correct ?

0 Karma

jcrabb_splunk
Splunk Employee
Splunk Employee

That is correct.

Jacob
Sr. Technical Support Engineer
0 Karma

jcrabb_splunk
Splunk Employee
Splunk Employee

Based on the documentation, it is stating that in order to support the TLS/SSL Cipher suites introduced in 6.6 +, you will need to edit the Windows Registry:

About Upgrading

The Transport Layer Security (TLS) and Secure Sockets Layer (SSL) cipher suites in version 7.1 are not supported on Windows Server 2008 R2 (Originally introduced in version 6.6). The TLS and SSL cipher suites that come with version 7.0 of Splunk Enterprise do not support Windows Server 2008 R2 by default. If you upgrade, and you used SSL and TLS to handle forwarder-to-indexer communication or alert actions, those actions will not work until you make updates to both Windows and Splunk Enterprise configurations.

To add TLS 1.2 Support

To enable TLS 1.2 support on Windows Server 2008 R2:

  1. Add key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server

  1. In the TLS 1.2\Server key, create the following:

DWORD (32-bit) Value – DisabledByDefault; set to 0

DWORD (32-bit) Value – Enabled; set to 1

Jacob
Sr. Technical Support Engineer
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...