Security

How to change the instance and machine name without getting authentication errors on Monitoring Console?

Builder

Hi,

I have a Splunk server that acts as a Monitoring Console for my indexer. I wanted to change the server name of the server with the Monitoring Console, both in inputs.conf and server.conf. After I did so and restarted the instance it will no longer connect to my indexer over REST, and thus information in the Monitoring Console is missing. The error I'm getting is that the authentication token is wrong.

Is there a way of changing the server name on my Monitoring Console without getting authentication errors?

0 Karma
1 Solution

Builder

I figured out a way to fix the authentication failure. Although both the pass4SymKey and sslPassword remained the same after the server name change, even if I deleted them and restarted the machine to generate new ones, the Monitoring Console couldn't authenticate to the indexer. To solve it I had to go in the UI to settings > distributed search > search peers > indexer. There I had to re-validate the password for the Splunk admin account used for REST. For some reason the password is deleted (?) when the server name of the Monitoring Console instance is changed.

View solution in original post

0 Karma

Builder

I figured out a way to fix the authentication failure. Although both the pass4SymKey and sslPassword remained the same after the server name change, even if I deleted them and restarted the machine to generate new ones, the Monitoring Console couldn't authenticate to the indexer. To solve it I had to go in the UI to settings > distributed search > search peers > indexer. There I had to re-validate the password for the Splunk admin account used for REST. For some reason the password is deleted (?) when the server name of the Monitoring Console instance is changed.

View solution in original post

0 Karma

Builder

Hi. After changing the hostname on OS everthing worked fine. It wasn't before I manually changed the server name in the config files afterwards problems came up. On the OS level I can still ping the machines from eachother.

The error messages I'm getting are the following.

WARN GetRemoteAuthToken - Unable to get authentication token from peeruri="https://indexer:8089/services/admin/auth-tokens"

WARN DistributedPeer - Peer: https://indexer:8089 Failed to get server info from https://indexer:8089/services/server/info response code=401
0 Karma

Motivator

After changing serverName in server.conf, did you change pass4SymmKey to plain text password before restarting?

0 Karma

Builder

No. I dond't remember ever setting the pass4SymmKey. Pretty sure it's auto generated. Is it a viable solution to just remove the pass4SymmKey after changing the serverName in server.conf, and then restart the instance? Wouldn't the instance then generate a new pass4SymmKey?

0 Karma

Motivator

Hi there,

Can you ping your MC from indexer after changing the hostname? Also, what does your splunkd.log say, can you paste the errors?

0 Karma