Security

Why does our Indexer show that the receiving port is open but OS does not?

manderson7
Contributor

I'm trying to have 2 receiving ports on my index cluster, 1 as 9997 for local traffic, 1 as 9996 TCP for remote traffic. Both ports show as enabled in forwarding/receiving, and 9996 shows in a btool, but a local netstat -tulpn | grep 9996 doesn't show the port as open. I've used the same configuration on lab indexers without a problem. I've verified that the firewall is disabled on the local system. What am I missing?
local inputs.conf

[splunktcp-ssl://9996]
disabled = none

[SSL]
serverCert = /opt/splunk/etc/auth/server.pem
sslPassword = **************
requireClientCert = false

local server.conf

[sslConfig]
sslRootCAPath = /opt/splunk/etc/auth/cacert.pem
0 Karma
1 Solution

manderson7
Contributor

Turned out that I needed my cert in a certain order, per this page; , and Splunk inputs.conf was complaining about that. This inputs.conf stanza is what worked:

[splunktcp-ssl://9996]
compressed = true
connection_host = ip
disabled = 0

[SSL]
serverCert = $SPLUNK_HOME/etc/auth/servercert-1.pem
sslPassword = $1$/////////////////4654654==
requireClientCert = false

View solution in original post

0 Karma

manderson7
Contributor

Turned out that I needed my cert in a certain order, per this page; , and Splunk inputs.conf was complaining about that. This inputs.conf stanza is what worked:

[splunktcp-ssl://9996]
compressed = true
connection_host = ip
disabled = 0

[SSL]
serverCert = $SPLUNK_HOME/etc/auth/servercert-1.pem
sslPassword = $1$/////////////////4654654==
requireClientCert = false
0 Karma

worshamn
Contributor

Well in this answer https://answers.splunk.com/answers/544635/splunk-universal-forwarder-tls-certificate-update.html#ans..., I did not use the CA path in server.conf just everything in inputs.conf and it seems to work. Maybe give this a try:

[splunktcp-ssl:9996]
 compressed = true
 connection_host = ip
 rootCA = $SPLUNK_HOME/etc/auth/your_CA_cert.pem
 serverCert = $SPLUNK_HOME/etc/auth/your_cert_name.pem
 sslPassword = your_cert_password
 requireClientCert = false
0 Karma

echalex
Builder

Can you telnet to port 9996?
Afaik, disabled does not need to be set. The valid values are 0 or 1, so remove or comment out that line. I'm just guessing that "none" is non-zero, so it might actually disable the input. However, you say that the port is shown as enabled...

manderson7
Contributor

Cannot telnet to 9996 from any machine. I'll try and change disabled to 0 from none, hopefully later today.

0 Karma
Get Updates on the Splunk Community!

Detecting Brute Force Account Takeover Fraud with Splunk

This article is the second in a three-part series exploring advanced fraud detection techniques using Splunk. ...

Buttercup Games: Further Dashboarding Techniques (Part 9)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Buttercup Games: Further Dashboarding Techniques (Part 8)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...