- Splunk Answers
- :
- Splunk Administration
- :
- Security
- :
- Why does our Indexer show that the receiving port ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm trying to have 2 receiving ports on my index cluster, 1 as 9997 for local traffic, 1 as 9996 TCP for remote traffic. Both ports show as enabled in forwarding/receiving, and 9996 shows in a btool, but a local netstat -tulpn | grep 9996 doesn't show the port as open. I've used the same configuration on lab indexers without a problem. I've verified that the firewall is disabled on the local system. What am I missing?
local inputs.conf
[splunktcp-ssl://9996]
disabled = none
[SSL]
serverCert = /opt/splunk/etc/auth/server.pem
sslPassword = **************
requireClientCert = false
local server.conf
[sslConfig]
sslRootCAPath = /opt/splunk/etc/auth/cacert.pem
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Turned out that I needed my cert in a certain order, per this page; , and Splunk inputs.conf was complaining about that. This inputs.conf stanza is what worked:
[splunktcp-ssl://9996]
compressed = true
connection_host = ip
disabled = 0
[SSL]
serverCert = $SPLUNK_HOME/etc/auth/servercert-1.pem
sslPassword = $1$/////////////////4654654==
requireClientCert = false
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Turned out that I needed my cert in a certain order, per this page; , and Splunk inputs.conf was complaining about that. This inputs.conf stanza is what worked:
[splunktcp-ssl://9996]
compressed = true
connection_host = ip
disabled = 0
[SSL]
serverCert = $SPLUNK_HOME/etc/auth/servercert-1.pem
sslPassword = $1$/////////////////4654654==
requireClientCert = false
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well in this answer https://answers.splunk.com/answers/544635/splunk-universal-forwarder-tls-certificate-update.html#ans..., I did not use the CA path in server.conf just everything in inputs.conf and it seems to work. Maybe give this a try:
[splunktcp-ssl:9996]
compressed = true
connection_host = ip
rootCA = $SPLUNK_HOME/etc/auth/your_CA_cert.pem
serverCert = $SPLUNK_HOME/etc/auth/your_cert_name.pem
sslPassword = your_cert_password
requireClientCert = false
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you telnet to port 9996?
Afaik, disabled does not need to be set. The valid values are 0 or 1, so remove or comment out that line. I'm just guessing that "none" is non-zero, so it might actually disable the input. However, you say that the port is shown as enabled...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Cannot telnet to 9996 from any machine. I'll try and change disabled to 0 from none, hopefully later today.
Observability | How to Think About Instrumentation Overhead (White Paper)
Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)
The Great Resilience Quest: 10th Leaderboard Update
