Hey splunk team,
I need a bit (okay a lot of help). I'm not sure what I'm doing wrong, but I'm following these guides to create my own self-signed ssl certificate:
http://wiki.splunk.com/Community:Splunk2Splunk_SSL_SelfSignedCert_NewRootCA
http://docs.splunk.com/Documentation/Splunk/7.0.2/Security/Howtoself-signcertificates
However after looking at my logs, my forwarder shows the following:
02-27-2018 00:45:19.808 -0800 INFO TcpOutputProc - Removing quarantine from idx=192.168.0.43:9997
02-27-2018 00:45:19.808 -0800 WARN TcpOutputFd - Connect to 192.168.0.43:9997 failed. Connection refused
02-27-2018 00:45:19.808 -0800 ERROR TcpOutputFd - Connection to host=192.168.0.43:9997 failed
02-27-2018 00:45:19.809 -0800 WARN TcpOutputFd - Connect to 192.168.0.43:9997 failed. Connection refused
02-27-2018 00:45:19.809 -0800 ERROR TcpOutputFd - Connection to host=192.168.0.43:9997 failed
02-27-2018 00:45:19.809 -0800 WARN TcpOutputProc - Applying quarantine to ip=192.168.0.43 port=9997 _numberOfFailures=2
At this point I'm not sure what I'm doing wrong. If it helps, my forwarders outputs.conf looks like this:
[tcpout]
defaultGroup = splunkssl
[tcpout:splunkssl]
server = 192.168.0.43:9997
compressed = true
sslRootCAPath = /opt/splunkforwarder/etc/certs/myCACertificate.pem
sslCertPath = /opt/splunkforwarder/etc/certs/myServerCertificate.pem
sslPassword = $xxxxxxxxxxxxx=
sslVerifyServerCert = true
My indexer's input.conf looks like this:
[default]
host = splunk
[SSL]
rootCA = /opt/splunk/etc/certs/myCACertificate.pem
serverCert = /opt/splunk/etc/certs/myServerCertificate.pem
password = $xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
#password = $xxxxxxxxxxxxxx
requireClientCert = false
[splunktcp-ssl:9997]
compressed = true
disabled = 0
And i've added this line to my indexer's server.conf. This was based on the default configuration for ssl certificates on the indxer, plus the guide to using self signed certs:
sslRootCAPatch = /opt/splunk/etc/system/local/certs/myCACertificate.pem
Any help or advice is appreciated.