Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About yaye
yaye
Explorer
Member since:
07-04-2022
08-16-2023
Community Statistics
| Posts | 8 |
| Solutions | 1 |
| Karma Given | 0 |
| Karma Received | 0 |
| Member Since | 07-04-2022 |
Activity Feed
- Posted Re: cliVerifyServerName failing because Splunk starts as 127.0.0.1 on Splunk Enterprise. 08-16-2023 02:22 AM
- Posted Re: cliVerifyServerName failing because Splunk starts as 127.0.0.1 on Splunk Enterprise. 08-14-2023 11:29 AM
- Posted Re: cliVerifyServerName failing because Splunk starts as 127.0.0.1 on Splunk Enterprise. 08-14-2023 02:58 AM
- Posted Why cliVerifyServerName failing because Splunk starts as 127.0.0.1? on Splunk Enterprise. 08-10-2023 03:04 AM
- Posted Re: How to achieve dnstap field extraction? on Knowledge Management. 06-09-2023 12:13 AM
- Posted How to achieve dnstap field extraction? on Knowledge Management. 06-07-2023 11:41 AM
- Tagged How to achieve dnstap field extraction? on Knowledge Management. 06-07-2023 11:41 AM
- Tagged How to achieve dnstap field extraction? on Knowledge Management. 06-07-2023 11:41 AM
- Tagged How to achieve dnstap field extraction? on Knowledge Management. 06-07-2023 11:41 AM
- Tagged How to achieve dnstap field extraction? on Knowledge Management. 06-07-2023 11:41 AM
- Tagged How to achieve dnstap field extraction? on Knowledge Management. 06-07-2023 11:41 AM
- Posted What is the best naming convention for serverclasses? on Deployment Architecture. 10-21-2022 12:25 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 |
08-16-2023
02:22 AM
Changed the mgmtHostPort to the FQDN of the server. This FQDN stands in the Certificate Subject Alternative Name of the certificate of the server. [settings] startwebserver = 1 mgmtHostPort = <redacted>:8089 enableSplunkWebSSL = true privKeyPath = <redacted> serverCert = <redacted> sslVersions = tls1.2 max_upload_size = 2048 Changed cliVerifyServerName to true [sslConfig] useClientSSLCompression = true sslVersions = tls1.2 sslVerifyServerCert = true sslVerifyServerName = true requireClientCert = false serverCert = <redacted> sslRootCAPath = <redacted> sslPassword = <redacted> cliVerifyServerName = true Getting the same error after restarting the server [root@<redacted> ~]# systemctl restart Splunkd [root@<redacted> ~]# su splunk [splunk@<redacted> root]$ splunk reload deploy-server Your session is invalid. Please login. ERROR: IP address 127.0.0.1 not in server certificate. Please see server.conf/[sslConfig]/cliVerifyServerName for details. Couldn't request server info: Couldn't complete HTTP request: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
... View more
08-14-2023
11:29 AM
Yes, this is a upgraded environment.
... View more
08-14-2023
02:58 AM
We use DHCP for our servers, so it could be possible that after the lease time ends, the server has a new IP. Is it possible to give mgmtHostPort a FQDN / CName?
... View more
08-10-2023
03:04 AM
Hi,
I want to run the command "splunk reload deploy-server" on my deployment server, but it fails with the following error:
[root@server etc]# su splunk
[splunk@server etc]$ splunk reload deploy-server
Your session is invalid. Please login.
ERROR: IP address 127.0.0.1 not in server certificate. Please see server.conf/[sslConfig]/cliVerifyServerName for details.
Couldn't request server info: Couldn't complete HTTP request: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
I'm running Splunk Enterprise 9.0.4.
The deployment server also acts as a license server and monitoring console.
Of course, my certificate does not have the localhost IP in it.
My Splunk has a Systemd Unit File.
#This unit file replaces the traditional start-up script for systemd
#configurations, and is used when enabling boot-start for Splunk on
#systemd-based Linux distributions.
[Unit]
Description=Systemd service file for Splunk, generated by 'splunk enable boot-start'
After=network-online.target
Wants=network-online.target
[Service]
Type=simple
Restart=always
ExecStart=/data/splunk/bin/splunk _internal_launch_under_systemd
KillMode=mixed
KillSignal=SIGINT
TimeoutStopSec=360
LimitNOFILE=65536
LimitRTPRIO=99
SuccessExitStatus=51 52
RestartPreventExitStatus=51
RestartForceExitStatus=52
User=splunk
Group=splunk
Delegate=true
CPUShares=1024
MemoryLimit=24949776384
PermissionsStartOnly=true
ExecStartPost=-/bin/bash -c "chown -R splunk:splunk /sys/fs/cgroup/cpu/system.slice/%n"
ExecStartPost=-/bin/bash -c "chown -R splunk:splunk /sys/fs/cgroup/memory/system.slice/%n"
[Install]
WantedBy=multi-user.target
sslConfig Part of my server.conf
[sslConfig]
useClientSSLCompression = true
sslVersions = tls1.2
sslVerifyServerCert = true
sslVerifyServerName = true
requireClientCert = false
serverCert = <Combined PEM Cert>
sslRootCAPath = <Root CA PEM Cert>
sslPassword = <Password>
cliVerifyServerName = true
If you need any more info, let me know.
... View more
- Tags:
- splunk search
Labels
- Labels:
-
configuration
-
troubleshooting
06-09-2023
12:13 AM
Solution found with reddit community Regex Challenge - Field Extraction : r/Splunk (reddit.com)
... View more
06-07-2023
11:41 AM
Hello,
I am struggling a bit with regex and field extractions. I need to write my own sourcetype because I haven't found anything pre-made for dnstap. Maybe I was blind and you have something ready to hand.
I have the following raw event text:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24094
;; flags: qr aa rd ra ; QUESTION: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 67816834b9432822c5a508fd59b65054fb5bbab0c5fe14f8
;; QUESTION SECTION:
;www.test.aa. IN A
;; ANSWER SECTION:
www.test.aa. 60 IN CNAME testserver.domain
www.test.aa. 60 IN A 192.168.1.20
;; AUTHORITY SECTION:
test.aa. 60 IN NS localhost.
I want to extract the "ANSWER SECTION", but my regex fails:
;;\sANSWER\sSECTION:\v(?<response_query>\S+)\s+(?<response_ttl>\S+)\s+(?<response_class>\S+)\s+(?<reponse_type>\S+)\s+(?<response>\S+)
The problem is that only the first line of the section is captured, but I need to capture every line because I need all the values. The "ANSWER SECTION" can consist of one line or several lines.
I'm using regex101.com with the regex flags "multi line" and "single line" as described in props.conf -> EXTRACT-<class>.
... View more
Labels
- Labels:
-
other
10-21-2022
12:25 PM
Hello, I'm currently trying to update our Splunk environment, but one problem I'm having is getting our server classes named correctly to make them future-proof and easy to use. Currently my server class naming convention looks something like this: <name> (general serverclass) <name>_<location>(location based) <name>_<machine type> (machine type based) <name>_<machine type>_<location> (location and machine type based) Example: clients clients_munich clients_berlin clients_linux clients_linux_munich clients_linux_berlin clients_windows clients_windows_munich clients_windows_berlin I would also use this convention for all other "groups" that need server classes. Server, Services, Appliances, Network, ... If you need examples for them just ask me 😄
... View more
Labels
- Labels:
-
deployment server
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
08-16-2023
09:16 AM
|
