Security
Highlighted

Why does our Indexer show that the receiving port is open but OS does not?

Contributor

I'm trying to have 2 receiving ports on my index cluster, 1 as 9997 for local traffic, 1 as 9996 TCP for remote traffic. Both ports show as enabled in forwarding/receiving, and 9996 shows in a btool, but a local netstat -tulpn | grep 9996 doesn't show the port as open. I've used the same configuration on lab indexers without a problem. I've verified that the firewall is disabled on the local system. What am I missing?
local inputs.conf

[splunktcp-ssl://9996]
disabled = none

[SSL]
serverCert = /opt/splunk/etc/auth/server.pem
sslPassword = **************
requireClientCert = false

local server.conf

[sslConfig]
sslRootCAPath = /opt/splunk/etc/auth/cacert.pem
0 Karma
Highlighted

Re: Why does our Indexer show that the receiving port is open but OS does not?

Builder

Can you telnet to port 9996?
Afaik, disabled does not need to be set. The valid values are 0 or 1, so remove or comment out that line. I'm just guessing that "none" is non-zero, so it might actually disable the input. However, you say that the port is shown as enabled...

Highlighted

Re: Why does our Indexer show that the receiving port is open but OS does not?

Contributor

Cannot telnet to 9996 from any machine. I'll try and change disabled to 0 from none, hopefully later today.

0 Karma
Highlighted

Re: Why does our Indexer show that the receiving port is open but OS does not?

Communicator

Well in this answer https://answers.splunk.com/answers/544635/splunk-universal-forwarder-tls-certificate-update.html#ans..., I did not use the CA path in server.conf just everything in inputs.conf and it seems to work. Maybe give this a try:

[splunktcp-ssl:9996]
 compressed = true
 connection_host = ip
 rootCA = $SPLUNK_HOME/etc/auth/your_CA_cert.pem
 serverCert = $SPLUNK_HOME/etc/auth/your_cert_name.pem
 sslPassword = your_cert_password
 requireClientCert = false
0 Karma
Highlighted

Re: Why does our Indexer show that the receiving port is open but OS does not?

Contributor

Turned out that I needed my cert in a certain order, per this page; , and Splunk inputs.conf was complaining about that. This inputs.conf stanza is what worked:

[splunktcp-ssl://9996]
compressed = true
connection_host = ip
disabled = 0

[SSL]
serverCert = $SPLUNK_HOME/etc/auth/servercert-1.pem
sslPassword = $1$/////////////////4654654==
requireClientCert = false

View solution in original post

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.