Security

Splunk not working after turning on SSL for forwarder and indexer communication

christay
New Member

Hi Guys,

We have the following environment set up : 2 x indexer and 1 x forwarder with 1 Master Node + Search Head.

We have configured to use indexer discovery and got it to work whereby the Forwarder are able to pass the logs over to the Indexer.

However, when we turn on the SSL, the logs are not forwarding over to the indexer anymore.

From the forwarder error logs, I saw the following error => "02-15-2019 09:09:35.768 +0000 ERROR TcpOutputProc - target=Indexer:9997 ssl=0 mismatch with ssl config in outputs.conf for server, skipping..."

Can advice what is wrong here?

Tags (2)
0 Karma
1 Solution

ashajambagi
Communicator

try using btool to verify the configuration files

View solution in original post

0 Karma

ashajambagi
Communicator

try using btool to verify the configuration files

0 Karma

christay
New Member

Hi ashajambagi,

Thanks for the suggestion. Finally found the error using btool due to conflicting configuration for SSL port 9997.

Somehow beside inputs.conf there's another one config residing under launcher also configure to use port 997 which is non SSL causing the issue i encountered.

0 Karma

ashajambagi
Communicator

Glad the suggestion helped resolve your error!

0 Karma

vishaltaneja070
Motivator

Hello @christay

Did you mentioned ssl details in inputs.conf and outputs.conf as mentioned in the below link:

Configure indexer discovery with SSL

https://docs.splunk.com/Documentation/Splunk/7.2.4/Indexer/indexerdiscovery
0 Karma

christay
New Member

Hi Vishal,

I have configure based on the documents i got from splunk running ver 7.2.0.

input.config in one of my index server as follow :

[default]
host = SPLUNK01
[splunktcp-ssl:9997]
disabled = 0
[SSL]
serverCert = /opt/splunk/etc/system/local/certs/myIndexer.pem
sslPassword = hashxx
requireClientCert = false

output.config under my forwarder as follow :

[indexer_discovery:AWSINDEX]
pass4SymmKey = hashxxxx
master_uri = https://1.1.1.1:8089

[tcpout:splunkaws]
indexerDiscovery = AWSINDEX
useACK = true
autoLBFrequency = 30
forceTimebasedAutoLB = true

SSL Config Below

clientCert = /opt/splunkforwarder/etc/system/local/certs/myForwarder.pem
sslPassword = hashxxxx

[tcpout]
defaultGroup = splunkaws

0 Karma

vishaltaneja070
Motivator

@christay,

Can you please try to move the cert under /opt/splunk/etc/auth/certs directory and try.

0 Karma

christay
New Member

Hi Vishal,

I have tested by moving my certs to :

/opt/splunk/etc/auth/certs for my indexer

and
/opt/splunkforwarder/etc/auth/certs for my forwarder

Still the same error reported above.

0 Karma

vishaltaneja070
Motivator

did you mention sslRootCAPath path in server.conf in indexer server.conf?

0 Karma

christay
New Member

Yup i did as per the documentation in ver 7.2.0.
Which is why i can't figure out which part has i gone wrong.....

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...