Hi Splunkers,
I am trying to encrypt my data in lab to learn this feature. I need apply this feature in my financial customer, who have critical data.
In this case, I am using default splunk certification to test, located in C:\Program Files\Splunk\etc\auth
|| Splunk Server Windows 127.0.0.1:9998 || <---DATA ENCRYPTED--- || Universal Forwarder Windows ||
Universal Forwarder Windows
C:\Program Files\SplunkUniversalForwarder\etc\system\local\outputs.conf
[tcpout]
defaultGroup = default-autolb-group
[tcpout:default-autolb-group]
compressed = true
requireClientCert = false
server = 127.0.0.1:9998
sslCertPath = C:\Program Files\Splunk\etc\auth\server.pem
sslPassword = password
sslRootCAPath = C:\Program Files\Splunk\etc\auth\cacert.pem
Splunk Server
C:\Program Files\Splunk\etc\apps\search\local\inputs.conf
[splunktcp-ssl:9998]
connection_host = ip
compressed = true
[SSL]
serverCert = C:\Program Files\Splunk\etc\auth\server.pem
rootCA = C:\Program Files\Splunk\etc\auth\cacert.pem
requireClientCert = false
password = password
When I did a search, I didn't see data in my Splunk.
Anyone have any idea ?
Cheers!
Hi dfigurello,
Did you check splunkd.log
for any SSL related errors? Did you do some SSL troubleshooting, if you need a hint on that follow this nice answer http://answers.splunk.com/answers/134053/ciphersuite-in-various-conf-files.
Regarding the not matching search: is it the correct index? the correct time range? Do you get anything back by using | tstats count where host=x
or | metadata type=hosts
?
Hope this helps ...
cheers, MuS
Hi dfigurello,
Did you check splunkd.log
for any SSL related errors? Did you do some SSL troubleshooting, if you need a hint on that follow this nice answer http://answers.splunk.com/answers/134053/ciphersuite-in-various-conf-files.
Regarding the not matching search: is it the correct index? the correct time range? Do you get anything back by using | tstats count where host=x
or | metadata type=hosts
?
Hope this helps ...
cheers, MuS
Hi MuS,
I am sorry to answer too late. I did all configuration in ..\etc\system\local then I restarted splunk and Splunkforwarder. After that, my data was indexed.
I am very grateful.
is your inputs.conf really here: C:\Program Files\Splunk\etc\appssearch\local\inputs.conf
?
To set custom configurations, place an inputs.conf in $SPLUNK_HOME/etc/system/local/
Hi MuS,
I ran a search:
index=_internal source="C:\Program Files\Splunk\var\log\splunk\splunkd.log" SSL then I found this error event:
8/26/14
9:00:09.613 AM
08-26-2014 09:00:09.613 -0300 INFO TcpInputConfig - SSL clause not found or servercert not provided - SSL ports will not be available
host = rpti002 source = C:\Program Files\Splunk\var\log\splunk\splunkd.log sourcetype = splunkd
8/26/14
9:00:07.644 AM
08-26-2014 09:00:07.644 -0300 INFO loader - Server supporting SSL v2/v3
tks.