About OGS

OGS · ‎08-18-2025

@livehybrid @PickleRick Thanks for your answer. I'll share some further findings. When used in conjunction with sslCommonNameToCheck, the "did not match any allowed names" message is sometimes not output. No error. sslCommonNameToCheck = license-1 #present in CN and SAN sslAltNameToCheck = xx.xx.xx.10 #IP present in SAN This pattern also produces no error. sslCommonNameToCheck = license-1 #present in CN and SAN sslAltNameToCheck = xx.xx.xx.100 #IP not present in SAN I may have misinterpreted this due to an insufficient translation. I had interpreted the sslAltNameToCheck setting as immediately terminating communication if there was a mismatch. Is using ssl[Common/Alt]NameToCheck in conjunction with this setting correct? As you all indicated, Splunk ignores IP addresses, but in the above pattern, did it switch to querying by CN?

OGS · ‎08-18-2025

Splunk 9.4.2 I'm investigating communication between the LicenseMaster and Indexer (LMTracker). Please tell me about SAN authentication. hostname: Connection is successful. [sslConfig] sslAltNameToCheck = license-1 IP: Connection fails. [sslConfig] sslAltNameToCheck = xx.xx.xx.10 *The destination license-1 has already been configured with indexer-1 information. If the connection fails, the splunkd.log displays the message "did not match any allowed names." 08-18-2025 07:01:17.784 +0000 ERROR X509 [88364 LMTrackerExecutorWorker-0] - X509 certificate (CN=license-1,OU=XXX,O=XXX,L=XXX,ST=XXX,C=XX) alternate name (license-1,localhost) did not match any allowed names (,xx.xx.xx.10) The certificate's "Subject Alternative Name" is as follows: $ sudo openssl x509 -in /opt/splunk/etc/auth/mycerts/license-1.pem -noout -text | grep -A1 "Subject Alternative Name" X509v3 Subject Alternative Name: DNS:license-1, DNS:localhost, IP Address:xx.xx.xx.10 Splunk is using the "IP Address" in the SAN. Why isn't "Address:xx.xx.xx.10" being recognized? Is it being recognized, but just not being output as a log? Please let me know if there is anything I should review. I use Google Translate to translate Japanese into English.

OGS · ‎08-14-2025

Thank you. This information was very useful. It's a mystery why only Heavy Forwarder was experiencing this issue, but the workaround solved it. [httpServerListener:127.0.0.1:<new port>] ssl=false

OGS · ‎08-13-2025

Splunk 9.4 Running splunk list forward-server returns "error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca." I'm forwarding each server's internal logs to the indexer, and I noticed this during a check. Only the heavy forwarder is returning the error in the title. Are the configuration methods different for the search head and heavy forwarder? I don't think there's a problem with the certificate. I think I need to review the settings, but I'm not sure what to do. The results of running heavy-1 are as follows: $ sudo /opt/splunk/bin/splunk list forward-server Couldn't complete HTTP request: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca Running it on search-head-1 returns the following results: $ sudo /opt/splunk/bin/splunk list forward-server Active forwards: xx.xx.xx.7:9997 (ssl) Configured but inactive forwards: None Manually checking with openssl (Indexer: 9997 and 8089) confirmed that there were no issues with the certificate. $ sudo openssl s_client -connect xx.xx.xx.7:9997 -CAfile /opt/splunk/etc/auth/mycerts/myCA.pem -cert /opt/splunk/etc/auth/mycerts/heavy-1.pem Verify return code: 0 (ok) is returned, indicating successful certificate verification. A Session-ID and Master-Key have been generated, and the session has been established. The server.conf/[sslConfig] stanza for heavy-1 returns "error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca." Changing requireClientCert = true to false returns the result. $ sudo /opt/splunk/bin/splunk list forward-server Active forwards: 10.2.0.7:9997 (ssl) Configured but inactive forwards: None The following is the configuration for heavy-1. The same configuration is used for search-head-1. outputs.conf [tcpout] defaultGroup = indexer_group [tcpout:indexer_group] server = xx.xx.xx.7:9997 disabled = 0 clientCert = /opt/splunk/etc/auth/mycerts/heavy-1.pem sslVersions = tls1.2 sslCommonNameToCheck = indexer-1,heavy-1,search-head-1 useSSL = true server.conf [sslConfig] enableSplunkdSSL = true sslRootCAPath = /opt/splunk/etc/auth/mycerts/myCA.pem serverCert = /opt/splunk/etc/auth/mycerts/heavy-1.pem requireClientCert = true <= If you set this to false, the splunk list forward-server command will return results. sslVersions = tls1.2 sslPassword = <pass> sslCommonNameToCheck = indexer-1,heavy-1,search-head-1 sslVerifyServerCert = true sslVerifyServerName = true cliVerifyServerName = true Below is Indexer inputs.conf [splunktcp-ssl:9997] disabled = 0 [SSL] serverCert = /opt/splunk/etc/auth/mycerts/indexer-1.pem sslVersions = tls1.2 requireClientCert = true sslCommonNameToCheck = heavy-1,search-head-1 server.conf [sslConfig] enableSplunkdSSL=true sslRootCAPath = /opt/splunk/etc/auth/mycerts/myCA.pem serverCert = /opt/splunk/etc/auth/mycerts/indexer-1.pem requireClientCert = true sslVersions = tls1.2 sslPassword = <pass> sslCommonNameToCheck = indexer-1,heavy-1,search-head-1 sslVerifyServerCert = true sslVerifyServerName = true cliVerifyServerName = true I use Google Translate to translate Japanese into English.

OGS · ‎08-11-2025

Specifying it explicitly resolved the issue. [replication_port://9887] disabled = false I confirmed from Captain's splunkd.log that communication with all tgtPeers is set to "useSSL=true." Thank you.

OGS · ‎08-10-2025

> The settings for TLS should be set the same way as they are on the management port. Does this mean that it needs to match the port specified in mgmt_uri in the [shclustering] stanza? > What do you mean by "doesn't work"? > Remember that you need to have a working CA for mTLS to work. > Self-signed certs most probably won't work. The splunkd.log shows "useSSL=false," which goes against my intention. This log result suggests that it's set to non-SSL. I assumed that if communication was via mTLS, "useSSL=true" would be set. If it doesn't work with a self-signed certificate, I'll try this setting another time. Thank you for your advice.

OGS · ‎08-08-2025

Please share your knowledge. Splunk 9.4 reference https://docs.splunk.com/Documentation/Splunk/9.4.2/Admin/Serverconf I'm trying to set SHC replication to mTLS, but it's not working. Alerts created in Splunk Web are being replicated. I'm using a self-signed certificate. search-head-1,search-head-2,search-head-3のsplunkd.log"port 9887 with SSL"is output. 08-06-2025 08:05:34.894 +0000 INFO TcpInputProc [148404 TcpListener] - Creating replication data Acceptor for IPv4 port 9887 with SSL However, "useSSL=false" is output to all Search Heads. 08-08-2025 02:41:30.425 +0000 INFO SHCRepJob [21691 SHPPushExecutorWorker-0] - Running job=SHPRepJob peer="search-head-2", guid="A5CDBF4C-7F71-4705-9E20-10529800C25E" aid=scheduler__nobody_U3BsdW5rX1NBX0NJTQ__RMD5fe51f0ad1d9fe444_at_1754620680_13_A5CDBF4C-7F71-4705-9E20-10529800C25E, tgtPeer="search-head-1", tgtGuid="79BB42FF-7436-4966-B8C8-951EEF67C1AD", tgtRP=9887, useSSL=false The correct response is returned with the openssl command. The created self-signed certificate is also used on 8000 and 8089. $ sudo openssl s_client \ -connect <host IP>:9887 \ -CAfile /opt/splunk/etc/auth/mycerts/<myRootCA>.pem \ -cert /opt/splunk/etc/auth/mycerts/<mycert>.pem \ -key /opt/splunk/etc/auth/mycerts/<mykey>.key Verify return code: 0 (ok) # /opt/splunk/etc/system/local/server.conf [sslConfig] enableSplunkdSSL = true sslRootCAPath = /opt/splunk/etc/auth/mycerts/<myRootCA.pem> serverCert = /opt/splunk/etc/auth/mycerts/<combined certificate.pem> requireClientCert = true sslVersions = tls1.2 sslCommonNameToCheck = <search-head-1>,<search-head-2>,<search-head-3>,・・・ sslPassword = <RootCR password> [replication_port://9887] [replication_port-ssl://9887] disabled = false serverCert = /opt/splunk/etc/auth/mycerts/<combined certificate.pem> requireClientCert = true sslVersions = tls1.2 sslCommonNameToCheck = <search-head-1>,<search-head-2>,<search-head-3> I use Google Translate to translate Japanese into English.

OGS · ‎07-23-2025

ご教授ください。 Linuxでsplunk（9.4.3）の構築を学習中です。 WebUIのフォワーダー管理でエージェントが表示されない状態です。解決策をご存知ないでしょうか。 Deployment ServerはLicense Manager、Monitoring Serverと同居しています。（XX.XX.XX.10） ClientはHeavy Forwarderです。（XX.XX.XX.8） Monitoring ConsoleではDSもClientもStatus=Upの状態です。・各confは下記のように設定 -------[Client（XX.XX.XX.8）]------- $ sudo cat /opt/splunk/etc/system/local/deploymentclient.conf [deployment-client] disabled = false clientName = HF1 [target-broker:deploymentServer] targetUri = XX.XX.XX.10:8089 $ sudo /opt/splunk/bin/splunk show deploy-poll WARNING: Server Certificate Hostname Validation is disabled. Please see server.conf/[sslConfig]/cliVerifyServerName for details. Your session is invalid. Please login. Splunk username: siv_admin Password: Deployment Server URI is set to "XX.XX.XX.10:8089". $ ------------- -------[DS（XX.XX.XX.10）]------- $ sudo cat /opt/splunk/etc/system/local/serverclass.conf [serverClass:HFs] whitelist.0 = host=heavy* whitelist.1 = XX.XX.*.* whitelist.2 = host=HF* whitelist.3 = clientName:HF* [serverClass:HFs:app:app_test] stateOnClient = enabled ------------- ・確認した事 -------[Client（XX.XX.XX.8）]------- #Client=>DS 疎通確認で応答がある $ curl -k https://XX.XX.XX.10:8089/services/server/info -u admin:XXXXX <?xml version="1.0" encoding="UTF-8"?> ・・・・・ <s:list> <s:item>indexer</s:item> <s:item>license_master</s:item> <s:item>license_manager</s:item> <s:item>deployment_server</s:item> <s:item>search_head</s:item> <s:item>kv_store</s:item> </s:list> ・・・・・ -------------- -------[DS（XX.XX.XX.10）]------- #DSにClient の設定はしていない #DS=>Client 疎通確認で応答がある $ sudo /opt/splunk/bin/splunk btool deploymentclient list --debug $ $ curl -k https://XX.XX.XX.8:8089/services/server/info -u admin:XXXXX <?xml version="1.0" encoding="UTF-8"?> ・・・・・ <s:key name="server_roles"> <s:list> <s:item>deployment_client</s:item> <s:item>search_peer</s:item> <s:item>kv_store</s:item> </s:list> </s:key> ・・・・・ -------------- その他気になる事があります。・キャッシュ（serverclass_cache.json）が生成されません。・テストで作成したAppの配布はできているように見える。 -------[Client（XX.XX.XX.8）]------- $ sudo ls -l /opt/splunk/var/run/HFs total 12 -rw-------. 1 splunk splunk 10240 Jul 22 23:23 app_test-1753173390.bundle -------------- ・splunkd.logでも疎通ができていると思われるログが出ている -------[DS（XX.XX.XX.10）]------- 07-23-2025 23:30:28.287 +0000 INFO PubSubSvr [2431 TcpChannelThread] - Subscribed: channel=deploymentServer/phoneHome/default/reply/heavy-1/HF1 connectionId=connection_XX.XX.XX.8_8089_heavy-1.internal.cloudapp.net_heavy-1_HF1 listener=0x7fbd68ccc400 -------------- よろしくお願いします。

OGS · ‎12-03-2023

thank you for teaching me.

OGS · ‎11-28-2023

please tell me. How do I hide filters in Splunk Dashboard Studio? Is it an XML-only option? XML → <form hideFilters="true"> JSON → ???

Posts	12
Solutions	0
Karma Given	3
Karma Received	0
Member Since	‎11-28-2023

Online Status	Offline
Date Last Visited	‎09-11-2025 05:39 PM

message "did not match any allowed names" is outpu...

Running splunk list forward-server returns "error:...

How do I enable mTLS for the replication port on a...

Deployment Manager フォワーダー管理でエージェントが表示されない

How do I hide filters in Splunk Dashboard Studio?

Re: message "did not match any allowed names" is o...

message "did not match any allowed names" is outpu...

Re: Running splunk list forward-server returns "er...

Running splunk list forward-server returns "error:...

Re: How do I enable mTLS for the replication port ...

Re: How do I enable mTLS for the replication port ...

How do I enable mTLS for the replication port on a...

Deployment Manager フォワーダー管理でエージェントが表示されない

Re: How do I hide filters in Splunk Dashboard Stud...

How do I hide filters in Splunk Dashboard Studio?

Join the Conversation