Security

Why does our Indexer show that the receiving port is open but OS does not?

manderson7
Contributor

I'm trying to have 2 receiving ports on my index cluster, 1 as 9997 for local traffic, 1 as 9996 TCP for remote traffic. Both ports show as enabled in forwarding/receiving, and 9996 shows in a btool, but a local netstat -tulpn | grep 9996 doesn't show the port as open. I've used the same configuration on lab indexers without a problem. I've verified that the firewall is disabled on the local system. What am I missing?
local inputs.conf

[splunktcp-ssl://9996]
disabled = none

[SSL]
serverCert = /opt/splunk/etc/auth/server.pem
sslPassword = **************
requireClientCert = false

local server.conf

[sslConfig]
sslRootCAPath = /opt/splunk/etc/auth/cacert.pem
0 Karma
1 Solution

manderson7
Contributor

Turned out that I needed my cert in a certain order, per this page; , and Splunk inputs.conf was complaining about that. This inputs.conf stanza is what worked:

[splunktcp-ssl://9996]
compressed = true
connection_host = ip
disabled = 0

[SSL]
serverCert = $SPLUNK_HOME/etc/auth/servercert-1.pem
sslPassword = $1$/////////////////4654654==
requireClientCert = false

View solution in original post

0 Karma

manderson7
Contributor

Turned out that I needed my cert in a certain order, per this page; , and Splunk inputs.conf was complaining about that. This inputs.conf stanza is what worked:

[splunktcp-ssl://9996]
compressed = true
connection_host = ip
disabled = 0

[SSL]
serverCert = $SPLUNK_HOME/etc/auth/servercert-1.pem
sslPassword = $1$/////////////////4654654==
requireClientCert = false
0 Karma

worshamn
Contributor

Well in this answer https://answers.splunk.com/answers/544635/splunk-universal-forwarder-tls-certificate-update.html#ans..., I did not use the CA path in server.conf just everything in inputs.conf and it seems to work. Maybe give this a try:

[splunktcp-ssl:9996]
 compressed = true
 connection_host = ip
 rootCA = $SPLUNK_HOME/etc/auth/your_CA_cert.pem
 serverCert = $SPLUNK_HOME/etc/auth/your_cert_name.pem
 sslPassword = your_cert_password
 requireClientCert = false
0 Karma

echalex
Builder

Can you telnet to port 9996?
Afaik, disabled does not need to be set. The valid values are 0 or 1, so remove or comment out that line. I'm just guessing that "none" is non-zero, so it might actually disable the input. However, you say that the port is shown as enabled...

manderson7
Contributor

Cannot telnet to 9996 from any machine. I'll try and change disabled to 0 from none, hopefully later today.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...