Splunk Enterprise Security

ASP Net Core 2.1 App throws intermittent SSL error while logging to Splunk

sghosh007
New Member

we have a .net core app which we recently migragated to 2.1 from 1.x. Post migration we have seen that the app hangs everytime we recycle the application pool, the app can’t be reached and only resolution to this is to stop the app pool, kill dotnet.exe, and the start the pool. After few hours of investigation we found out some exceptions which says the app was unable to write to loggers - because of an Ssl connection issue. We use Microsoft.Logging.Extensions and send these to Splunk over https using the configuration from appsettings json file. This is intermittent, as after few restarts of the app pool it behaves fine. Even it remains stable for few hours or even days before it goes down again. After we commented out the code to add this Splunk logging at the startup the app runs just fine and shows no issues on app pool recycling, behaves exactly how it should.
We derived from this behaviour that the Splunk connection issue might be causing the app to hang?
Also after researching a bit found this article on the web which also talks about the same thing and states the resolution as disabling SSL - https://salanoi.com/2017/09/16/test/ - For some reason SSL connection doesn’t work will when Splunk is started from Docker image with default settings. After some investigation root cause was found. It was caused by self-signed certificate. In order to solve this issue it was decided to turn off SSL

As a result of this we had to turn off Splunk logging temporarily till we find a stable solution. I would really appreciate if someone can throw some light and help us find the correct solution. Please provide some insights and help us resolving the issue.

0 Karma

jkat54
SplunkTrust
SplunkTrust

You need to either install a proper ssl cert on the port you’re sending the data in on or disable ssl verification warnings programmatically in your app.

Ideally,
Your app should be writing to a message bus which then feeds into Splunk HTTP Event Collector versus feeding into a splunk tcp input port.

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...