I tried the gdb way on that page. It turns out that the splunk uses its own complied openssl lib in the $SPLUNK_HOME/lib/libssl.so.X.X.X, so the code doesn't work since it puts the breakpoint to the system version. Tested under splunkforwarder 8.1.3 in Debian 11 1. Compile an OpenSSL with debugging symbols as mentioned in the article. Here is complete guide. Download the 1.0.2 source code, and get into the extracted folder, The option I used: ./config shared -d -Wl,-rpath=/usr/local/ssl/lib -Wl,--enable-new-dtags
make
make test
sudo make install 2. Install the "apt-get install electric-fence" package as indicated in the -d option. 3. Go to /usr/local/ssl/lib, copy the libssl.so.1.0.0 and the libcrypto.so.1.0.0 to $SPLUNK_HOME/lib, make backup of the originial ones. Then duplicate the 2 files and rename them to libssl.so and libcrypto.so( As you can see in the folder, splunk actually puts 2 copies of the same file which was originally soft links). 4. (optional) edit the manifest file in the $SPLUNK_HOME, replace the sha256 hash of the original lib files with the new ones'. 5. Restart the splunk in normal way. Get the pid of splunkd, there are 2 of them, pick the first one. 6. Install and config the gdb according to the instruction. Then download the sslkeylog.py , follow the "Recommended configuration" to configure the gdbinit. Then run: SSLKEYLOGFILE=premaster.txt gdb -batch -ex skl-batch -p <your splunkd pid> Hope this help
... View more