Re: Having trouble with anything specific related ...

ArifV · ‎04-08-2024

Drop your issue in the replies and we will help you track down the best solution.

skeir · ‎09-16-2024

I used this:

echo -e "# ssl-extensions-x509.cnf\n[v3_ca]\nbasicConstraints = CA:FALSE\nkeyUsage = digitalSignature, keyEncipherment\nsubjectAltName = IP:<ip-of-splunk-enterprise-instance>" > ssl-extensions-x509.cnf

bishida · ‎09-16-2024

Hi,

Unfortunately, the error message isn't very informative.

I see that you pasted your custom certificate authority cert. Can you try pasting the final cert that you signed using that CA cert/key? (this is the one that you can view/export in your web browser at https://<ip-of-splunk-enterprise-instance>:8089)

Here is a quick list of other sanity checks that might help:

Were you certain to specify the public IP (not a private one) of your ec2 where you see <ip-of-splunk-enterprise-instance> ?

Does your AWS security policy allow incoming traffic on port 8089 from the O11y realm you're using? (e.g. us1, us0, eu0...)

If you load https://<ip-of-splunk-enterprise-instance>:8089 in your browser and export the certificate, is it the same one you pasted in to the connection? (it should be)

Can you login to the Splunk Enterprise instance with your service account to verify username/password is valid?

Be sure the target in your LOC connection should use https and port 8089

The service account must have a role that includes capabilities "search" and "edit_tokens_own"

The service account role should have a reasonable limit for searches (a multiple of 4 such as 40).

skeir · ‎09-16-2024

Thanks!

While all of your other suggestions were valid and useful, it was your first suggestion about using the final cert that allowed me to create the connection. I appreciate your help.

bishida · ‎09-16-2024

Awesome, glad you got it working!

skeir · ‎09-16-2024

Looking for help with Log Observer Connect.
I've got Splunk on AWS EC2.
In 0lly, I've followed the Set Up Service Account instructions and have secured the web and management port with a self-signed cert. This part is working.
I have confirmed the details regarding the indexes, capabilities (including indexes_list_all), resources and tokens.
When I attempt the Set Up Observability Cloud step, I fill in the account details and upload or paste the first cert in the chain (myCACertificate.pem, based on the instructions at https://docs.splunk.com/Documentation/Splunk/9.3.1/Security/ConfigureandinstallcertificatesforLogObs...), but I get:
Unable to create Splunk Enterprise client.
The Splunk Exnterprise _internal index doesn't appear to show any errors related to this.
I've been very specific about the details; the only odd aspect is the IP address as the CN for the cert.
Any ideas would be greatly appreciated.

bishida · ‎09-16-2024

Hi,

Since you’re using an IP address for the common name, did you specify IP instead of DNS in this step?

Having trouble with anything specific related to Observability Cloud? Let us know and we will help!

OpenTelemetry

Splunk APM

Splunk Infrastructure Monitoring

Splunk Observability Cloud

Splunk Real User Monitoring (RUM)

Splunk Synthetic Monitoring

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?