Solved: Re: Splunk web is not accessible after installing ...

saurabh_tek11 · ‎04-18-2018

i have installed ES 4.7 and it took long time to get installed (left it running last evening and this morning ES was up and running). pending restart. i restarted splunk but after that splunk web is not accessible.

same was happening when i tried installing ES 5(known issue) yesterday but then i removed that and fell back on more stable (IMO) ES4.7 version. Now my splunk web is not accessing on https any idea how to fix this

$INSTALL/var/log/splunk/splunkd.log says -

04-19-2018 10:08:03.390 +0400 WARN  HttpListener - Socket error from 10.1.23.202 while idling: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number

There are rw permissions to splunk (user) on /opt/splunk/etc/myinstall/splunkd.xml .

saurabh_tek11 · ‎04-19-2018

The intermediate WAF was the culprit.

View solution in original post

saurabh_tek11 · ‎04-19-2018

The intermediate WAF was the culprit.

burakcinar · ‎04-18-2018

what's your splunk version ?
it seems there are some known issues for SSL .

http://docs.splunk.com/Documentation/Splunk/latest/ReleaseNotes/Knownissues

server.conf
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Serverconf?

sample server.conf

 [sslConfig]
 sslVersions = *,-ssl2
 sslVersionsForClient = *,-ssl2
 cipherSuite = TLSv1+HIGH:TLSv1.2+HIGH:@STRENGTH

saurabh_tek11 · ‎04-19-2018

@burakcinar, The splunk version is splunk Enterprise 7.0.2 and ES version is 4.7
I have added your shared configs in my /system/local/server.conf and restarted splunk but that didnt bring the web accessible. Could you suggest something else.

Splunk web is not accessible after installing ES 4.7, Socket error from x.x.x.x while idling: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?