Hello,
I am looking for a solution to send Splunk alerts to Splunk mobile application. So far I was using the "Splunk Cloud Gateway" splunkbase on my Splunk lab (standalone Splunk VM) which was based on Splunk 8.0.x. Since I wanted to upgrade recently to Splunk 8.2.4, I needed to also move to the "embedded" Splunk Secure Gateway app.
Since I did not needed the former indexed data, I decided to remove Splunk 8.0 and do a fresh install of 8.2.4 (no upgrade on Splunk side nor migration from Cloud Gateway to Secure Gateway). After "opt-in" for Secure Gateway, the gateway managed to stay "connected" for a duration of ~10 minutes (I can see "ping-pong" messages in Secure Gateway logs/_internal index). But it stopped suddenly to work (status in dashboard is now desperately showing "not connected") ...
Last "ping-pong" exchange is the following one:
This was "today morning " at 0:20 AM (twenty past midnight, 10 minutes after gateway optin/config).
On the errors side, the first one ever I can see is this one (7 min before 0:20 AM):
Then this one when it stopped the "ping-pong" traffic (at 0:20 AM):
And then such ones:
I've checked all the logs of the gateway, enabled DEBUG traces, analyzed the python code, checked these errors, changed the "timeouts" for bigger values in the app conf file, looked at the "Troubleshooting sections" of the doc ... but I could not find yet why it suddenly stopped to work.
To be complete, I am running on a lab VM (2 vCPU, 8GB of RAM) (which is under the prereq "specs", I know) and with SSL self-sign certificate generated by Splunk when I changed the server settings to use HTTPS. I am behind a Sophos UTM 9.7 which is protecting my home network and I've made a rule to disable filtering (like SSL scanning etc) for URLs that ends by *.spl.mobi
Would you have any directions or clues for fixing that connectivity issue?
Thanks in advance
