I'm trying to have 2 receiving ports on my index cluster, 1 as 9997 for local traffic, 1 as 9996 TCP for remote traffic. Both ports show as enabled in forwarding/receiving, and 9996 shows in a btool, but a local netstat -tulpn | grep 9996 doesn't show the port as open. I've used the same configuration on lab indexers without a problem. I've verified that the firewall is disabled on the local system. What am I missing?
[splunktcp-ssl://9996] disabled = none [SSL] serverCert = /opt/splunk/etc/auth/server.pem sslPassword = ************** requireClientCert = false
[sslConfig] sslRootCAPath = /opt/splunk/etc/auth/cacert.pem
Can you telnet to port 9996?
disabled does not need to be set. The valid values are 0 or 1, so remove or comment out that line. I'm just guessing that "none" is non-zero, so it might actually disable the input. However, you say that the port is shown as enabled...
Cannot telnet to 9996 from any machine. I'll try and change disabled to 0 from none, hopefully later today.
Well in this answer https://answers.splunk.com/answers/544635/splunk-universal-forwarder-tls-certificate-update.html#ans..., I did not use the CA path in server.conf just everything in inputs.conf and it seems to work. Maybe give this a try:
[splunktcp-ssl:9996] compressed = true connection_host = ip rootCA = $SPLUNK_HOME/etc/auth/your_CA_cert.pem serverCert = $SPLUNK_HOME/etc/auth/your_cert_name.pem sslPassword = your_cert_password requireClientCert = false
Turned out that I needed my cert in a certain order, per this page; , and Splunk inputs.conf was complaining about that. This inputs.conf stanza is what worked:
[splunktcp-ssl://9996] compressed = true connection_host = ip disabled = 0 [SSL] serverCert = $SPLUNK_HOME/etc/auth/servercert-1.pem sslPassword = $1$/////////////////4654654== requireClientCert = false