Splunk Cloud Platform

Action Needed for Forwarder Certificate Expiry

SabariRajanT
Path Finder

Hi Team,

My universal forwarder certificate package, will be expiring soon in my splunk cloud environment. As a result, splunk vendor updated forwarder package on stack with updated certificates to be deployed across any forwarders that connect directly to my Splunk instance.

My Action: I should download and install the updated Universal Forwarder certificate package on all forwarders prior to the upcoming maintenance window.

Can someone elaborate the pre-conditions and further steps to be taken care before my maintenance window.

FYI - I have the splunkclouduf.spl package

Thanks,

Sabari

 

 

Labels (1)
Tags (1)
0 Karma

Roy_9
Motivator

Hi @SabariRajanT 

I am on Splunk cloud and we receive this notification quarterly.Below are the steps which we followed.

1. Download the Splunk UF credential package and untar it and deploy it to /opt/splunkforwarder/etc/apps folder on all the Splunk agents via Deployment Server (or)
2. You can manually place the file under the /opt/splunkforwarder/etc/apps folder and do a Splunk restart that would suffice.

 

After performing this, if you want to check whether the UF's are reporting the legacy or new certificate package, run the below search on your search head.

 

index=_internal source=metrics.log group=tcpout_connections name=splunkcloud
| stats latest(_time) AS _time latest(name) AS name by host
| rex field=name "(?<output_group>.+?):"
| eval fwd_config=if(output_group="splunkcloud","legacy","new")
| stats count by _time host output_group fwd_config
| reltime
| fields _time reltime host output_group fwd_config
| sort 0 fwd_config

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

at least you should check what is the earliest time when the new certificate is valid and you can start to use it. Here is one way to check it.

  1. Unpack your splunclouduf.spl in your disk.
  2. Check certs start time:
    1. splunk cmd openssl x509 -in 100_<Your_Stack_Name>_splunkcloud/default/splunktrust_server.pem -text -noout|egrep "Not Before"

Disclaimer: I haven't yet need to update current splunk cloud certificates, so I'm not sure it this is need or not. Maybe they inform you just after this is already valid?

0 Karma

SabariRajanT
Path Finder

Hi @isoutamo 

Thanks for your response,

I have the updated certificates in handy, Im planning to proceed below way, Kindly assist

1)Installing the forwarder credentials on many forwarders using a deployment server

  1. From Splunk Cloud Platform instance, go to Apps > Universal Forwarder.
  2. Click Download Universal Forwarder Credentials.
  3. Note the location where the credentials file was downloaded. The credentials file is named splunkclouduf.spl.
  4. Copy the file to your /tmp folder.
  5. (optional) Use file management tools to move the splunkclouduf.spl file to the $SPLUNK_HOME/etc/deployment-apps/ directory on the deployment server.
  6. In a shell or command prompt, unpack the credentials package by running the following command:

tar xvf splunkclouduf.spl

  1. Navigate to the /bin subdirectory of the deployment server.
  2. Install the credentials package by running the following command:

splunk install app <full path to splunkclouduf.spl> -auth <username>:<password>

where <full path to splunkclouduf.spl> is the path to the directory where the splunkclouduf.spl file is located and <username>:<password> are the username and password of an existing admin account on the universal forwarder.

  1. Restart the deployment server by running the following command:

/splunk restart

Tags (2)
0 Karma
Get Updates on the Splunk Community!

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...

New Dates, New City: Save the Date for .conf25!

Wake up, babe! New .conf25 dates AND location just dropped!! That's right, this year, .conf25 is taking place ...

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...