RHEL7, Splunk/forwarder v8.0.4 I'm setting up a distributed installation (1x head, 2x indexer). There's been quite a bit of back and fourth, troubleshooting. When running 'splunk restart' 2 of 3 manages to start up the web interface as desired, with the correct CA showing up in the browser. For the remaining one, the config file /opt/splunk/etc/system/local/web.conf looks identical on them. Another config file, ~/etc/system/local/server.conf, is similar, with serverName, and the hashed pass4SymmKey and sslPassword being different. This is also using the .pem file as serverCert. Rather than the decrypted .key file, the server.conf file is running of the encrypted one (in .pem format), but sslPassword being supplied in the [sslConfig] section. My current question is, what configuration files affects the web interface? When the web interface is up (and the second indexer hopefully shows up in 'splunk show cluster-bundle-status', replication and data integrity would be next, before in the end, having all forwarders show up. I have a feeling/hope all the current issues are related to me messing up SSL stuff. If this is the wrong place to ask/post this, I do apologize.
... View more