Activity Feed
- Got Karma for Re: Getting mutiple issues when enabling ssl on Splunk web with 3rd party certs with requiredClientCert = true. 02-06-2024 04:52 AM
- Got Karma for Re: Getting "unsupported certificate purpose" ERROR when enabling SSL on management port with requireClientCert = true. 06-23-2023 07:37 AM
- Got Karma for Re: Getting "unsupported certificate purpose" ERROR when enabling SSL on management port with requireClientCert = true. 02-21-2023 06:16 PM
- Got Karma for Re: Getting "unsupported certificate purpose" ERROR when enabling SSL on management port with requireClientCert = true. 11-17-2022 12:35 AM
- Posted Re: Why are the indexers disk usage more than the smartstore volume? on Deployment Architecture. 10-20-2022 09:11 AM
- Posted Why are the indexers disk usage more than the smartstore volume? on Deployment Architecture. 10-20-2022 12:47 AM
- Posted How to add search peer to monitoring console thru Rest call from search peer on Splunk Enterprise. 05-11-2021 07:46 PM
- Posted Why is splunkd expecting intermediate certs in the trust store? on Splunk Enterprise Security. 01-16-2021 02:57 AM
- Tagged Why is splunkd expecting intermediate certs in the trust store? on Splunk Enterprise Security. 01-16-2021 02:57 AM
- Tagged Why is splunkd expecting intermediate certs in the trust store? on Splunk Enterprise Security. 01-16-2021 02:57 AM
- Tagged Why is splunkd expecting intermediate certs in the trust store? on Splunk Enterprise Security. 01-16-2021 02:57 AM
- Got Karma for Re: Getting "unsupported certificate purpose" ERROR when enabling SSL on management port with requireClientCert = true. 12-02-2020 05:02 PM
- Posted Is there a rest endpoint to take a peer offline temporarily? on Splunk Enterprise. 10-12-2020 02:02 PM
- Posted Re: Migrate old Search head cluster to new Search head cluster on Splunk Enterprise. 08-12-2020 04:28 PM
- Posted DistributedPeerManager - Cannot determine a latest common bundle, search may be blocked Error on master node on Splunk Enterprise. 08-12-2020 04:23 PM
- Posted Re: Migrate old Search head cluster to new Search head cluster on Splunk Enterprise. 08-07-2020 03:01 PM
- Posted Migrate old Search head cluster to new Search head cluster on Splunk Enterprise. 08-07-2020 01:13 PM
- Posted Re: Splunk Web UI - Getting "Cannot get username when all users are selected" along with some web elements not on Splunk Search. 06-15-2020 03:19 PM
- Posted Re: Splunk Web UI - Getting "Cannot get username when all users are selected" along with some web elements not on Splunk Search. 06-12-2020 05:12 PM
- Posted Splunk Web UI - Getting "Cannot get username when all users are selected" along with some web elements not loading on Splunk Search. 06-11-2020 11:25 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
10-20-2022
09:11 AM
@jdunlea We got these disk usage numbers from splunk MC itself. Infact I also ran this query which outputs 900+ indexers with 96% usage | rest splunk_server_group=dmc_group_indexer /services/server/status/partitions-space | eval free = if(isnotnull(available), available, free) | eval usage = capacity - free | eval pct_usage = floor(usage / capacity * 100) | where pct_usage > 80 | stats first(fs_type) as fs_type first(capacity) AS capacity first(usage) AS usage first(pct_usage) AS pct_usage by splunk_server, mount_point | eval usage = round(usage / 1024, 2) | eval capacity = round(capacity / 1024, 2) | rename splunk_server AS Instance mount_point as "Mount Point", fs_type as "File System Type", usage as "Usage (GB)", capacity as "Capacity (GB)", pct_usage as "Usage (%)"
... View more
10-20-2022
12:47 AM
Hi,
We have close to 1000 indexers in our splunk cluster on AWS. Each indexer has 15TB SSD local storage. Our retention is 30 days and we enable smartstore with AWS S3.
The total s3 bucket size for our cluster says it is around 9 PB, however the disk usage on almost all of our indexers is around 95% which leads to (1000 * 0.95 * 15 TB) = 14.2 PB.
What is taking up additional ~5 PB of disk space on indexers? I'm sure the hot data(which isn't on s3) is definitely not of 2.5 PB (RF =2) size.
Can someone please throw some light here?
Thanks.
... View more
Labels
05-11-2021
07:46 PM
Hi, We have setup distributed splunk 8.1.3 cluster deployment in AWS. We have configured monitoring console as a separate search head. We often have to patch our regular web search heads and each time new SHs come up, they need to be manually added to monitoring console node. Rather, Is there a way to run a Rest call to monitoring console node from the search peer to add itself to monitoring console?
... View more
Labels
- Labels:
-
configuration
-
using Splunk Enterprise
01-16-2021
02:57 AM
Hi, We are exposing our search heads' management port for API access to splunk and enabled mTLS. When our users are hitting the endpoint with certs with below chain format, splunk is throwing (SSL_ERROR_UNKNOWN_CA_ALERT) - Peer does not recognize and trust the CA that issued your certificate. error. Our users' certs are in below format <entity>
<intermediate 1>
<intermediate 2> The Root CA cert that signed the <intermediate 2> cert is in our cacerts.pem file configured as below in server.conf sslRootCAPath=/path/to/cacerts.pem The expectation is splunk should establish the chain and since the Root CA that signed the last intermediate cert is present in its trust store, it should accept the client connection. This is not happening. However, If we put the both above intermediate certs also in the cacerts.pem file along with Root CA cert, that establishes a successful connection. Why is this happening? Shouldn't splunk be able to build the chain with user provided cert and establish a connection without having intermediates in its truststore? Is there any parameter configuration to achieve this behaviour?
... View more
Labels
- Labels:
-
using Enterprise Security
10-12-2020
02:02 PM
Hi,
Is there a rest endpoint to take a peer offline temporarily?
I see one for decommissioning -
curl -k -u admin:pass https://indexer:8089/services/cluster/slave/control/control/decommission
But seem like this is for permanent offline.
We are looking to take a peer offline temporarily..
... View more
Labels
- Labels:
-
using Splunk Enterprise
08-12-2020
04:28 PM
Thanks @isoutamo . Will try this and update
... View more
08-12-2020
04:23 PM
Hi, We have disabled [distributedSearch] in out splunk cluster's master and indexer nodes. With this we are seeing below issues WARN in Master: WARN DistributedPeerManager - Cannot determine a latest common bundle, search may be blocked ERROR in Indexers: SearchPeerBundlesSetup - Cannot find bundles for search peer: <master_ip_node> What we tried? Enabled dist search in master alone(not on indexers) - both issues are gone Enabled dist search on all indexers alone(not on master) - Can still see both the issues Made an update to one of the apps and did apply-bundle - This is successful without any issues So the solution seems to be enabling dist search on master. But wanted to get more insight into this. What does dist search mean on master and indexers? Does master node needs to have dist search enabled? In 'Cannot determine a latest common bundle' and 'Cannot find bundles for search peer' what does bundle mean here? I'm sure these are not knowledge bundles. Why indexer is treating master as search peer?
... View more
Labels
- Labels:
-
using Splunk Enterprise
08-07-2020
03:01 PM
Both our environments are in AWS. For new deployment, we will have new AMI baked with OS/Splunk Upgrade and create EC2 instances with this AMI. We will have a new deployer and new SHC in this case. But how can we copy the settings/data from old SHC to new SHC?
... View more
08-07-2020
01:13 PM
Hi, I have gone thru multiple answers and also splunk documentation about migrating from standalone search head to SHC but my usecase is bit different. Usecase: We want to deploy splunk enterprise service in AWS and as part of it, we create a SHC with say 5 search heads. Upon requirement of OS upgrade or splunk vesion upgrade, we want to spawn 5 totally new EC2 instances to form new SHC with new AMI that has the upgrades. How do we copy old SHC data/settings(search artifacts - dashboards, saved searches etc) to the new one? What is the best way to achieve this?
... View more
Labels
- Labels:
-
upgrade
-
using Splunk Enterprise
06-15-2020
03:19 PM
Yup. Thats right. Agree
... View more
06-12-2020
05:12 PM
Thanks for responding @livehybrid . Unfortunately we cannot go ahead with another lb than what AWS provides. AWS documentation says you can enable sticky sessions for NLB with type='source_ip' and when I enable stickiness in target group section for NLB in AWS Console, I'm not seeing this issue anymore. Do you think this might be the solution then?
... View more
06-11-2020
11:25 PM
Hi, We have setup our Splunk cluster, version 7.3.3 in AWS and seeing that on logging into splunk UI, some of the web elements are not loading - like User id, 'Search and Reporting' App(sometimes) etc. Also when we are performing any search we see that it displays "Cannot get username when all users are selected" Our search heads are behind AWS NLB. Our policies do not support ALB and hence we have to settle with NLB, which at this time do not support Sticky sessions or persistence. I have gone thru some of the Splunk Answers on this similar issue and came to know that this is probably because of missing sticky sessions. Is this really a missing sticky session issue? If yes, Is there any alternate way to resolve this apart from moving from NLB to ALB?
... View more
04-22-2020
11:24 PM
2 Karma
This issue has been resolved when I use sslRootCAPath in web.conf instead of caCertFile
... View more
04-20-2020
12:15 PM
Hi All,
I want enable mTLS in splunk cluster on all the communication channels. I have peer certificate that works as both server and client. Enabling ssl is successful when I set
requiredClientCert = false
in web.conf. However when I make requiredClientCert = true I am getting below errors
ERROR X509Verify - X509 certificate (CN=myCompanyCN) failed validation; error=19, reason="self signed certificate in certificate chain"
WARN SSLCommon - Received fatal SSL3 alert. ssl_state='SSLv3 read client certificate B', alert_description='unknown CA'.
WARN HttpListener - Socket error from 127.0.0.1:60580 while idling: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed - please check the output of the `openssl verify` command for the certificates involved; note that if certificate verification is enabled (requireClientCert or sslVerifyServerCert set to "true"), the CA certificate and the server certificate should not have the same Common Name.
Here are my conf files
server.conf
[sslConfig]
enableSplunkdSSL = true
useClientSSLCompression = true
sslVersions = tls1.2
serverCert = $SPLUNK_HOME/etc/auth/mycerts/peer-chain-with-key.pem <=== contains peer cert, key, intermediate certs, root CA cert in this order
caCertFile = $SPLUNK_HOME/etc/auth/mycerts/ca-chain.pem
sslVerifyServerCert = true
requireClientCert = true
web.conf
# Securing splunk web
enableSplunkWebSSL = true
privKeyPath = etc/auth/mycerts/peer-key.pem
serverCert = etc/auth/mycerts/peer-chain-cert-without-key.pem <==== contains peer cert, int certs & root CA cert in this order
sslVersions = tls1.2
requireClientCert = true
Any help please
... View more
04-20-2020
10:51 AM
4 Karma
This issue has been resolved after I have replaced server certs(server only) certs with multi-purpose certs. Posting here for the sake of others
server cert
$ openssl x509 -noout -in server.pem -purpose
Certificate purposes:
SSL client : No
SSL server : Yes
Multi-purpose cert
$ openssl x509 -noout -in multi-purpose.pem -purpose
Certificate purposes:
SSL client : Yes
SSL server : Yes
I don't see this documented anywhere.
... View more
04-20-2020
10:48 AM
@PavelP , this issue has been resolved after I have replaced server certs(server only) certs with multi-purpose certs
server cert
$ openssl x509 -noout -in server.pem -purpose
Certificate purposes:
SSL client : No
SSL server : Yes
Multi-purpose cert
$ openssl x509 -noout -in multi-purpose.pem -purpose
Certificate purposes:
SSL client : Yes
SSL server : Yes
I dont think has been documented anywhere.
Thanks alot for your overall help on this
... View more
04-15-2020
12:13 PM
@PavelP , firstly thanks for your continuous guidance in this regard.
secondly, I tried making the ca-chain.pem to include [server cert] at. the top. but ended up getting the same error.
Also I dont think [server cert] need to be in ca-chain.pem - I have gone thru multiple splunk answers and even in the 2015 .conf, they use cacert.crt for ca chain which is CA root certificate chain
... View more
04-14-2020
10:30 AM
@PavelP , This is my current certificate structure. Please correct me if I am not having them in correct structure.
server-cert-with-key.pem
[ server cert ]
[ server cert key ]
[ intermediate A cert ]
[ intermediate B cert ]
[ Root cert ]
ca-chain.pem
[ intermediate A cert ]
[ intermediate B cert ]
[ Root cert ]
And in my server.conf
serverCert = <path_to_pem>/server-cert-with-key.pem
sslRootCAPath = <path_to_pem>/ca-chain.pem
... View more
04-14-2020
04:11 AM
Hi All,
I want to enable SSL for Splunk management port(8089) for securing inter-splunk communications. I have below settings in my Cluster Master server.conf
[sslConfig]
enableSplunkdSSL = true
useClientSSLCompression = true
sslVersions = tls1.2
serverCert = $SPLUNK_HOME/etc/auth/mycerts/server-chain-with-key.pem
sslRootCAPath = $SPLUNK_HOME/etc/auth/mycerts/ca-chain.pem
sslVerifyServerCert = true
requireClientCert = true
But I see below errors in CM Splunkd.log
ERROR X509Verify - X509 certificate (CN=XXXX,OU=YYYY,O=ZZZ..) failed validation; error=26, reason="unsupported certificate purpose"
WARN SSLCommon - Received fatal SSL3 alert. ssl_state='SSLv3 read client certificate B', alert_description='unsupported certificate'.
WARN HttpListener - Socket error from <indexer_ip>:47154 while idling: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed - please check the output of the `openssl verify` command for the certificates involved; note that if certificate verification is enabled (requireClientCert or sslVerifyServerCert set to "true"), the CA certificate and the server certificate should not have the same Common Name.
And I see this in my Indexer splunkd.log
WARN SSLCommon - Received fatal SSL3 alert. ssl_state='SSLv3 read server session ticket A', alert_description='unsupported certificate'.
Can anyone help me in understanding why I'm seeing this issue? I have gone thru lot of answers and even the 2015 .conf slides, but do not understand why requireClientCert should be made false.I don't see anyone explaining the reason for this.
I basically want to enable mutual authentication between CM and indexers on management port and hence made requireClientCert = true. Is mutual TLS supported by Splunk on management port? If yes, how should I provide client certs for mTLS?
Thanks in advance
... View more
Labels
- Labels:
-
troubleshooting
04-13-2020
11:00 AM
Hello @pavelP,
I have followed this and made requireClientCert = true in CM and restarted splunk. Below is what I see
Cluster Master splunkd.log
ERROR X509Verify - X509 certificate (CN=XXXX,OU=XXX....) failed validation; error=26, reason="unsupported certificate purpose"
WARN SSLCommon - Received fatal SSL3 alert. ssl_state='SSLv3 read client certificate B', alert_description='unsupported certificate'.
WARN HttpListener - Socket error from <idxr1_ip>:36874 while idling: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed - please check the output of the `openssl verify` command for the certificates involved; note that if certificate verification is enabled (requireClientCert or sslVerifyServerCert set to "true"), the CA certificate and the server certificate should not have the same Common Name.
Indexer splunkd.log
WARN SSLCommon - Received fatal SSL3 alert. ssl_state='SSLv3 read server session ticket A', alert_description='unsupported certificate'.
In both instances, server.conf is something like
[sslConfig]
enableSplunkdSSL = true
useClientSSLCompression = true
sslVersions = tls1.2
serverCert = <path_to_pem>/server-cert-with-key.pem
sslRootCAPath = <path_to_pem>/ca-chain.pem
sslVerifyServerCert = true
requireClientCert = true
Except that requireClientCert = false in indexer server.conf
Is it correct to have server.pem in both CM and indexers for serverCert? Sorry, really confused.
BTW, here is the output of openssl verify
$ /opt/splunk/bin/splunk cmd openssl verify -CAfile ca-chain.pem server-chain-with-key.pem
server-chain-with-key.pem: OK
... View more
04-13-2020
04:58 AM
Hi @pyro_wood , I know this post is way back but I have a similar usecase now. Basically looking to enable mTLS in splunk Enterprise cluster. Can you please elaborate what did you meant by 'server-client' cert. How can I provide client cert for mutual tls inter-splunk communication with own certificates?
... View more
04-10-2020
06:05 PM
By 'This part is not set correctly' , do you mean that Splunk currently doesn't support mTLS?
I have gone thru both the slides and recording of this conf session but didn't understand exactly why requireClientCert is disabled for 'Splunk to Splunk' communication(All it talks about is why it is disabled between DS and DC).
... View more
04-10-2020
05:18 PM
Thanks again @PavelP . I checked with -k switch at it gave me the required output. And seems like the
requireClientCert = false
config in server.conf is equivalent to -k switch (correct me if I'm wrong).
However going to production, we do want to enable certificate verification to happen on management port 8089. So I made requireClientCert = true , restarted splunkd and I am seeing below errors/warning
cluster master splund.log
ERROR X509Verify - X509 certificate (CN=XXXXXX) failed validation; error=26, reason="unsupported certificate purpose"
WARN SSLCommon - Received fatal SSL3 alert. ssl_state='SSLv3 read client certificate B', alert_description='unsupported certificate'.
WARN HttpListener - Socket error from <master-ip>:36874 while idling: error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed - please check the output of the `openssl verify` command for the certificates involved; note that if certificate verification is enabled (requireClientCert or sslVerifyServerCert set to "true"), the CA certificate and the server certificate should not have the same Common Name.
Indexer splund.log
WARN SSLCommon - Received fatal SSL3 alert. ssl_state='SSLv3 read server session ticket A', alert_description='unsupported certificate'.
Any ideas about this? Do I need to have client certificate aswell for this? If yes, how should I refer to client cert(where should I set it)
And thanks for clarifying on BAD_CERT_DOMAIN. Got your point here.
... View more
04-10-2020
04:25 PM
Thanks @PavelP , I see my cert being displayed by using openssl.
However when I use curl to connect to indexer from master ( for that matter between any two instances ) I'm seeing this
$curl 'https://idxr-ip:8089/services/cluster/config' -v
* NSS error -8172 (SEC_ERROR_UNTRUSTED_ISSUER)
* Peer's certificate issuer has been marked as not trusted by the user.
When I provided --cacert and --capath options to my curl I get
* NSS error -12276 (SSL_ERROR_BAD_CERT_DOMAIN)
* Unable to communicate securely with peer: requested domain name does not match the server's certificate.
I guess this is because the CN or SAN in my certs doesn't match the indexer dns I'm using. Any idea how this can be achieved ?
For that matter even if splunk self-signed certs I should be seeing these errors. But I dont see any errors in Splunkd.log . Is this because splunk doesn't verify certs when communicating on 8089 with ssl? If yes, what's the point in enabling ssl then?
... View more
04-10-2020
03:27 AM
Hi All,
We want to enable ssl in our aws splunk Enterprise cluster on management port 8089 with own certs(provided by my company) I followed all the required steps from various documents and enabled splunkd ssl in server.conf in all splunk components - cm, indexer cluster, sh cluster and deployer
How can I verify that the ssl is correctly enabled and is using our own certs? I don't see any errors in any of splunkd logs. But I do not know how to prove that splunk instances are communicating with own certs. Also how is the secure communication happening without client certs? Don't we need both client and server certs in all splunk instances to securely communicate on port 8089(for that matter any port) Any help is highly appreciated
... View more
Labels
- Labels:
-
SSL
