Splunk Enterprise Security

Troubles Accessing Splunk Web With HTTPS (Enterprise Security)

JohannLiebert92
Path Finder

Hi everyone,

I'm having trouble to access Splunk web on HTTPS. After I installed ES, HTTPS was on automatically for Splunk web, however I couldn't access it while it is on HTTPS. I tried to disable HTTPS manually by editing the web.conf and able to access the web again. As such, I would like to gather some insights/suggestion what could potentially be the cause of this. Has anyone encountered similar issue in their environment before?

P/s: While web HTTPS is on, I tried to access Splunk web on http, (e.g. http://myserver:8000), I was returned with "connect failed" on the browser page. And I saw the warn message "Socket error from while idling:error 1408F10B:SSL_routines:SSL_GET_RECORD:wrong version number" was generated in splunkd.log

Thanks!

1 Solution

Kendrick821
Explorer

please check if there is a proxy in between client machine and splunk server. Most likely the proxy has a policy of blocking SSL connection that is not trusted by the proxy.

View solution in original post

skalliger
Motivator

You did not mention whether you created a self-signed certificate before or not (or a real certificate issued by a CA). Splunk Enterprise Security is only working with HTTPS, it cannot be disabled.

Skalli

0 Karma

JohannLiebert92
Path Finder

Hi skalliger, thanks for helping. At this stage I am using the default Splunk web certificate, (and real certificate for splunkd). The cause of the issue turned out to be the proxy which blocked the traffic from accessing it. Thanks!!

0 Karma

JohannLiebert92
Path Finder

Hi garethatiag, thanks for helping. Yes I tried Chrome and IE, however I just realized the internet settings for both Chrome and IE are shared, and thus the proxy block.

0 Karma

Kendrick821
Explorer

please check if there is a proxy in between client machine and splunk server. Most likely the proxy has a policy of blocking SSL connection that is not trusted by the proxy.

JohannLiebert92
Path Finder

This really turned out to be the cause of the issue. There was a proxy which block the traffic from accessing the server. After Splunk server has been whitelisted we can access it with HTTPS.

Thanks everyone for helping!!!!

0 Karma

gjanders
SplunkTrust
SplunkTrust

Can you please confirm that you are using a modern Chrome/Firefox or Edge browser to browse to https://myserver:8000 ?

0 Karma

p_gurav
Champion

which splunk version you are using?

0 Karma

JohannLiebert92
Path Finder

Hi p_gurav,

I'm using Splunk 7.0.1.

0 Karma

p_gurav
Champion

when you are accessing https://your-server:8000 , what error your getting?

0 Karma

JohannLiebert92
Path Finder

I din't pay attention to exact message, will need to revert back to you once I have access to the server on Monday again. But it looked like one of those responses when page is unavailable, e.g. accessing splunk web on HTTP when HTTPS is enabled.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...