IBM Security Access Manager v9 build 9.0.1.0
* There is a bug which doesn't allow syslog to be sent of UDP, but TLS-TCP works. The bug is fixed in 9.0.2.0
On the ISAM9 side, within the proxy I have setup the logcfg parameter to send syslog out.
server-log-cfg = rsyslog server=10.10.10.10,port=10265,log_id=server01_msg_webseald-default.log,ssl_keyfile=default_qdsrv.kdb,ssl_stashfile=default_qdsrv.sth
On the Splunk Forwarder side: ( i send the logs to an intermediate forwarder which sends to the cluster)
In the Inputs.conf I have tried the variations - [tcp://:10265], [splunktcp-ssl://:10265], [tcp-ssl:10265] - switching out the : to ://: to //: since docs were not to clear.
When using splunktcp or tcp-ssl my splunkd.log (on the forwarder) reports these are reserved for Splunk2Splunk. Also, when I run netstat -apn | grep 10265 ... its not listening.
Question: I'm not sure if I generated a SSL cert correctly. I followed this link: https://answers.splunk.com/answers/130860/how-to-get-tcp-ssl-input-for-splunk-6-0-to-work.html but it can't find the genSignedServerCert.py file referenced in the script /opt/splunk/bin/genSignedServerCert.sh -d /opt/splunk/etc/certs -n splunk -c splunk -p so it fails.
Has anyone worked on this ISAM9 -> splunk forwarding?
Any accurate advice on howto receive SSL data into a forwarder?
Splunk 6.5.2
Splunk forwarder 6.4.3
Thank You,
Sean
... View more