Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About HumanPrinter
HumanPrinter
Explorer
Member since:
10-26-2018
05-09-2023
Community Statistics
| Posts | 11 |
| Solutions | 2 |
| Karma Given | 1 |
| Karma Received | 1 |
| Member Since | 10-26-2018 |
Activity Feed
- Posted Re: When enabling sslVerifyServerName for kvstore, the KVStore will not start? on Security. 05-09-2023 01:01 AM
- Posted When enabling sslVerifyServerName for kvstore, the KVStore will not start? on Security. 05-02-2023 04:10 AM
- Tagged When enabling sslVerifyServerName for kvstore, the KVStore will not start? on Security. 05-02-2023 04:10 AM
- Tagged When enabling sslVerifyServerName for kvstore, the KVStore will not start? on Security. 05-02-2023 04:10 AM
- Tagged When enabling sslVerifyServerName for kvstore, the KVStore will not start? on Security. 05-02-2023 04:10 AM
- Tagged When enabling sslVerifyServerName for kvstore, the KVStore will not start? on Security. 05-02-2023 04:10 AM
- Posted Re: Configure Splunk forwarding on Windows hosts to use your own certificates on Security. 08-18-2021 01:55 AM
- Posted Re: Configure Splunk forwarding on Windows hosts to use your own certificates on Security. 07-15-2021 12:50 AM
- Posted Configure Splunk forwarding on Windows hosts to use your own certificates on Security. 03-05-2021 02:11 AM
- Tagged Configure Splunk forwarding on Windows hosts to use your own certificates on Security. 03-05-2021 02:11 AM
- Tagged Configure Splunk forwarding on Windows hosts to use your own certificates on Security. 03-05-2021 02:11 AM
- Tagged Configure Splunk forwarding on Windows hosts to use your own certificates on Security. 03-05-2021 02:11 AM
- Tagged Configure Splunk forwarding on Windows hosts to use your own certificates on Security. 03-05-2021 02:11 AM
- Got Karma for Re: Replace root CA for Splunk cluster. 12-08-2020 04:10 AM
- Posted Email action for alerts no longer works since Splunk 7.3.6 on Alerting. 06-23-2020 04:57 AM
- Karma Re: Heavy Forwarder change trial license to forwarder license CLI how to? for fernandoandre. 06-05-2020 12:46 AM
- Posted Re: Replace root CA for Splunk cluster on Security. 01-21-2020 12:52 AM
- Posted Replace root CA for Splunk cluster on Security. 01-20-2020 07:14 AM
- Tagged Replace root CA for Splunk cluster on Security. 01-20-2020 07:14 AM
- Tagged Replace root CA for Splunk cluster on Security. 01-20-2020 07:14 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
05-09-2023
01:01 AM
In the meantime, I've also enabled verbose logging for the KVstore. This however, does nog provide much more help. The mongo logfile now contains many lines saying: Session from <ipadress> encountered a network error during SourceMessage: SocketException: sslv3 alert bad certificate Running a curl-command from the host to the KVstore shows a valid SSL-chain: curl -v --cacert etc/auth/customcerts/splunk_ca.pem https://localhost:8191
... View more
05-02-2023
04:10 AM
We are trying to implement the guidelines for enabling TLS Hostname verification (Configure TLS certificate host name validation - Splunk Documentation). This is working for most stanzas, but we are facing an issue with enabling the 'sslVerifyServerName' setting for kvstore. We already had custom certificates in place for all inter-Splunk communications. We are starting to enable the aditional verify-settings and in that process we started with the Deployment Server/SH Deployer. On that machine we created a server.conf with the following content: [sslConfig]
serverCert = /opt/splunk/etc/auth/customcerts/azsplunkdep1d.management.dev_chained.pem
sslPassword = [REDACTED]
sslRootCAPath = /opt/splunk/etc/auth/customcerts/splunk_ca.pem
sslVerifyServerCert = true
sslVerifyServerName = true
cliVerifyServerName = true
[kvstore]
serverCert = /opt/splunk/etc/auth/customcerts/azsplunkdep1d.management.dev_chained.pem
sslPassword = [REDACTED]
sslVerifyServerCert = true
sslVerifyServerName = true
[search_state]
sslVerifyServerCert = true
sslVerifyServerName = true
[pythonSslClientConfig]
sslVerifyServerCert = true
sslVerifyServerName = true The server certificate is valid and contains the hostname and domainname of the server (CN=<host>.<domain>) If we start Splunk, the following lines appear in splunkd.log: ERROR KVStoreConfigurationProvider [45937 KVStoreConfigurationThread] - Failed to start mongod on first attempt reason=Failed to receive response from kvstore error=, service not ready after waiting for timeout=304029ms
ERROR KVStoreConfigurationProvider [45937 KVStoreConfigurationThread] - Could not start mongo instance. Initialization failed.
ERROR KVStoreBulletinBoardManager [45937 KVStoreConfigurationThread] - KV Store changed status to failed. Failed to start KV Store process. See mongod.log and splunkd.log for details..
ERROR KVStoreBulletinBoardManager [45937 KVStoreConfigurationThread] - Failed to start KV Store process. See mongod.log and splunkd.log for details.
INFO MongodRunner [45938 MongodLogThread] - mongod exited normally (exit code 0, status: PID 45939 exited with code 0). The Mongo log only contains logging saying it received a signal 15 (Terminated) and that it will shutdown accordingly. If we remove (or disable) the 'sslVerifyServerName' setting under the kvstore-stanza, everything works fine. Is there anything we missed in this setup? What additional steps of checks are required to enable TLS Hostname verification for the KVStore? Thanks in advance, Oscar
... View more
Labels
- Labels:
-
audit
-
encryption
-
SSL
08-18-2021
01:55 AM
We found the solution. Apparently, you can specify a Unix-style path in the configuration. The trick is to use the $SPLUNK_HOME variable to avoid fiddling with Windows drive letters. We ended up using a path like 'clientCert = $SPLUNK_HOME/etc/apps/ufw_base/local/splunkUfd_chained.pem' in the configuratin and that works like a charm
... View more
07-15-2021
12:50 AM
Does anyone have any experience with this?
... View more
03-05-2021
02:11 AM
We are running a Splunk cluster (version 8.1.2) and trying to secure the forwarding from the Universal Forwarders (also version 8.1.2) to the Heavy Forwarders in our cluster. I've followed the documentation to accomplish this using custom certificates and we have succeeded to secure the traffic between the Universal Forwarders running on Linux and our Heavy Forwarders (also running on Linux). However, the Universal Forwarders on Windows fail to successfully sent their data. Our configuration is as follows: We have created a root CA that is shared by all Splunk nodes We have created a server certificate signed by the root CA that is shared by the Heavy Forwarders We have created a certificate signed by the root CA that is shared by the Universal Forwarders The Universal Forwarders contain an app with a outputs.conf with the following content [tcpout] defaultGroup = ufw_group [tcpout:ufw_group] server = splunkhf1d:9997 clientCert = C:\Program Files\SplunkUniversalForwarder\etc\apps\ufw_base\local\splunkUfd_chained.pem sslPassword = $7$1x1tBdfWOZKofTNvhO1BD2/EJqF6yzM6fyiGVpqdDWEFQdm8Y1J+SGrN Note that the sslPassword was pasted in plain text and was encrypted by Splunk upon restart. The log of the Universal Forwarder shows: ERROR AesGcm - Text decryption - error in finalizing: No errors in queue ERROR AesGcm - AES-GCM Decryption failed! ERROR Crypto - Decryption operation failed: AES-GCM Decryption failed! WARN ConfigEncryptor - Decryption operation failed: AES-GCM Decryption failed! I have also tried to specify the path to the root CA in the server.conf but this did not help either. Finally, I have tried to install the Universal Forwarder using the graphical user interface and to specify the certificates in the installation wizard. The strange thing is that the certificate options do not show up in any of the configuration files after the installation is complete and forwarding also does not work. Has anyone successfully configured forwarding over SSL/TLS from a Windows host or is this only supported on Linux hosts?
... View more
Labels
- Labels:
-
encryption
-
SSL
06-23-2020
04:57 AM
Last week we upgraded our Splunk-cluster from version 7.3.5 to 7.3.6. Since that moment, alerts that are triggered no longer are able to send mail. The _internal index shows an event stating "ERROR sendemail:461 - 'rootCAPath' while sending mail to: xxx@xx" From other posts it seems to be required to add the list_settings capability to our user roles. However, prior to the update we have had no problems with alert mails without adding this capability to user roles. The release notes for version 7.3.6 don't mention any fix or change in this regard. Since the documentation is not quite clear about the impact of adding this capability to a user role (what additional possibilities are available to users with this capability) and this didn't seem to be required up until version 7.3.5 we would like to be sure this capability won't harm our setup
... View more
Labels
- Labels:
-
alert action
-
email
01-21-2020
12:52 AM
1 Karma
But that would mean that in a setup with 100+ machines (including Universal Forwarders), the logging will be inconsistent for quite some time as it will take some time to replace a root CA on a 100+ machines.
Even when we have a root CA with a lifetime of several years, there will be a point in time where it will expire and need to be replaced. If Splunk> does not have a viable solution for this scenario, the use of SSL encryption for inner-Splunk communication is very unpractical to say the least.
... View more
01-20-2020
07:14 AM
We have a Splunk cluster running which consists of search heads, indexers, heavy forwarders and other Splunk instances (e.g. deployment server, cluster master, ...) and many Universal Forwarders
We want to encrypt all inter-Splunk communications (both inside the Splunk-cluster and between Universal Forwarders and Heavy Forwarders) with custom certificates which are signed by a custom root CA. Initially, this should not be a problem since there is plenty of documentation on this subject.
However, we cannot find any documentation for the scenario in which the root CA needs to be renewed. How can this be done without any downtime (or at least a minimum downtime)? All the scenario's we have seen soo far require a big bang approach in which the cluster and Universal Forwarders will not operate properly untill all the servers and clients have the new root CA.
Does anyone have any thoughts on this subject?
Thanks
... View more
09-26-2019
04:02 AM
We are running a Universal Forwarder on our Windows servers which host several of our application. Each application logs to the same Windows Event Logbook, but use different sources to be able to determine the source of the logging.
We have configured the UF to forward all messages from the logbook to the heavy forwarders according to the inputs.conf-snippet below:
[WinEventLog://ServerApps]
disabled = 0
sourcetype = ServerAppLogs
source = ServerApp
renderXml = false
The problem is, whenever a new application is deployed, it will register a new source with the Windows Event logbook (using Powershell: [System.Diagnostics.EventLog]::CreateEventSource($eventSourceName, $eventLogName) ). But the UF does not pick up this new source untill it is restarted even though we did not specify any whitelisting or blacklisting.
Is it possible to make the UF listen to new sources in the Windows Event Log without having to restart it?
PS. We are using version 7.3.1 of the Universal Forwarder
... View more
11-01-2018
12:06 AM
The problem turned out to be very simple and very obvious. I was forwarder to the deployer of http instead of http s. In other words, changing
proxy_pass http://splunk_deploymentserver;
into
proxy_pass https://splunk_deploymentserver;
did the trick.
(That was one expensive letter 🙂 )
... View more
10-31-2018
07:42 AM
I am trying to configure an NGINX-proxy that will forward all requests from a Universal Forwarder to the Deploymentserver in my Splunk-cluster. I have tried to follow the examples that are available on the internet as wel as on Splunkbase. However, I run into an error which I can't seem to solve.
My setup is as follows:
A windows machine running the Universal Forwarder (version 7.1.2 x64)
A CentOS 7.5 machine running Splunk as a deploymentserver (version 7.2.0)
A CentOS 7.5 machine running NGINX (version 1.12.2)
When I connect the Universal Forwarder directly to the deploymentserver, everything works fine. But when I connect with the NGINX-proxy, the communication breaks down.
NGINX reports a '502 Bad Gateway' and the deploymentserver reports
'WARN HttpListener - Socket error from 10.101.0.243:40076 while idling: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number'
My NGINX config looks as follows:
user nginx nginx;
worker_processes auto;
pid /var/run/nginx.pid;
error_log /var/log/nginx/error.log;
events {
worker_connections 1024;
use epoll;
}
http {
log_format main_http '$remote_addr - $remote_user [$time_local] $ssl_protocol/$ssl_cipher "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
upstream splunk_deploymentserver {
ip_hash;
server 10.101.0.237:8089;
}
server {
listen 8089 ssl;
ssl_certificate ssl/server.pem;
ssl_certificate_key ssl/server.key;
access_log /var/log/nginx/access_splunkdeployment.log main_http;
location / {
proxy_pass http://splunk_deploymentserver;
}
}
}
The SSL-certificate that is served by NGINX, is a copy of the SSL-certificate of the deployment server.
Any help on solving this problem is very much appreciated.
Oscar
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
05-09-2023
04:32 AM
|
