Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why does our Indexer show that the receiving port is open but OS does not?

manderson7
Contributor
‎10-22-2018 08:18 AM

I'm trying to have 2 receiving ports on my index cluster, 1 as 9997 for local traffic, 1 as 9996 TCP for remote traffic. Both ports show as enabled in forwarding/receiving, and 9996 shows in a btool, but a local netstat -tulpn | grep 9996 doesn't show the port as open. I've used the same configuration on lab indexers without a problem. I've verified that the firewall is disabled on the local system. What am I missing?
local inputs.conf

[splunktcp-ssl://9996]
disabled = none

[SSL]
serverCert = /opt/splunk/etc/auth/server.pem
sslPassword = **************
requireClientCert = false

local server.conf

[sslConfig]
sslRootCAPath = /opt/splunk/etc/auth/cacert.pem
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

manderson7
Contributor
‎11-02-2018 10:03 AM

Turned out that I needed my cert in a certain order, per this page; , and Splunk inputs.conf was complaining about that. This inputs.conf stanza is what worked:

[splunktcp-ssl://9996]
compressed = true
connection_host = ip
disabled = 0

[SSL]
serverCert = $SPLUNK_HOME/etc/auth/servercert-1.pem
sslPassword = $1$/////////////////4654654==
requireClientCert = false

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

manderson7
Contributor
‎11-02-2018 10:03 AM

Turned out that I needed my cert in a certain order, per this page; , and Splunk inputs.conf was complaining about that. This inputs.conf stanza is what worked:

[splunktcp-ssl://9996]
compressed = true
connection_host = ip
disabled = 0

[SSL]
serverCert = $SPLUNK_HOME/etc/auth/servercert-1.pem
sslPassword = $1$/////////////////4654654==
requireClientCert = false
0 Karma
Reply
Solved! Jump to solution

worshamn
Contributor
‎10-22-2018 09:02 AM

Well in this answer https://answers.splunk.com/answers/544635/splunk-universal-forwarder-tls-certificate-update.html#ans..., I did not use the CA path in server.conf just everything in inputs.conf and it seems to work. Maybe give this a try:

[splunktcp-ssl:9996]
 compressed = true
 connection_host = ip
 rootCA = $SPLUNK_HOME/etc/auth/your_CA_cert.pem
 serverCert = $SPLUNK_HOME/etc/auth/your_cert_name.pem
 sslPassword = your_cert_password
 requireClientCert = false
0 Karma
Reply
Solved! Jump to solution

echalex
Builder
‎10-22-2018 08:39 AM

Can you telnet to port 9996?
Afaik, disabled does not need to be set. The valid values are 0 or 1, so remove or comment out that line. I'm just guessing that "none" is non-zero, so it might actually disable the input. However, you say that the port is shown as enabled...

Reply
Solved! Jump to solution

manderson7
Contributor
‎10-22-2018 10:53 AM

Cannot telnet to 9996 from any machine. I'll try and change disabled to 0 from none, hopefully later today.

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Brute Force Account Takeover Fraud with Splunk

This article is the second in a three-part series exploring advanced fraud detection techniques using Splunk. ...

Buttercup Games: Further Dashboarding Techniques (Part 9)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Buttercup Games: Further Dashboarding Techniques (Part 8)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top