Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- About ptrsnk
ptrsnk
Explorer
Member since:
03-03-2024
04-10-2025
Community Statistics
| Posts | 8 |
| Solutions | 1 |
| Karma Given | 0 |
| Karma Received | 1 |
| Member Since | 03-03-2024 |
Activity Feed
- Posted Re: Using existing Splunkweb certificate to secure an addtional port on Getting Data In. 03-04-2025 03:55 PM
- Posted Re: Using existing Splunkweb certificate to secure an addtional port on Getting Data In. 03-04-2025 02:07 PM
- Posted Re: Using existing Splunkweb certificate to secure an addtional port on Getting Data In. 03-04-2025 11:38 AM
- Got Karma for Re: Using existing Splunkweb certificate to secure an addtional port. 02-28-2025 12:57 PM
- Posted Re: Using existing Splunkweb certificate to secure an addtional port on Getting Data In. 02-28-2025 12:33 PM
- Posted Using existing Splunkweb certificate to secure an addtional port on Getting Data In. 02-28-2025 11:24 AM
- Posted Re: SPL for adding /32 to all addresses returned in a search on Splunk Search. 03-03-2024 06:38 PM
- Posted Re: SPL for adding /32 to all addresses returned in a search on Splunk Search. 03-03-2024 06:04 PM
- Posted SPL for adding /32 to all addresses returned in a search on Splunk Search. 03-03-2024 04:01 PM
- Tagged SPL for adding /32 to all addresses returned in a search on Splunk Search. 03-03-2024 04:01 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 |
03-04-2025
03:55 PM
Hello isoutamo; Thank you for the links; a lot of useful info. I am not an expert in the area of PKI Certificates etc. I have a basic understanding only. The term leaf certificate was new to me. Ptrsnk
... View more
03-04-2025
02:07 PM
It looks like the certificate is good for either client or server authentication.
... View more
03-04-2025
11:38 AM
I took a look at our existing servercert .pem file in vi. It did not contain the private key; it did include the root and intermediate certs I copied the contents of our private key .pem file to the location you suggested. mainCert/private key/intermediate cert/root cert I saved the new .pem file with a new name and put it in a new location under /opt/splunk/etc/auth/newssl and updated the inputs.conf file (below) at system/local. disabled = false connection_host=ip index =main [tcp:514] disabled = false connection_host=ip index =main [udp://514] index = main sourcetype=syslog disabled = no [tcp-ssl:6514] sourcetype = syslog index=syslog disabled = 0 [sslConfig] sslPassword = $7$pZd1k8bLJzFgGDno3jU7PQ4lAIFBoUbdhOAaFDZojyT1H6DGb5RdRA== serverCert = /opt/splunk/etc/auth/newssl/prcertkey.pem requireClientCert = false However, when testing the connection with openssl, I get the same behavior, a tcp connection is made, but no certificate activity. I get a CONNECTED(00000148) message which hasn't led me to anything specific. I'm still missing something. peter
... View more
02-28-2025
12:33 PM
1 Karma
Thank you livehybrid, I will tryout your suggestions and respond back to you.
... View more
02-28-2025
11:24 AM
We have an existing Splunk 9.1.3 Enterprise environment and run Splunkweb at port 8000 using an outside CA signed certificate for https. A partner wants to stream syslog data to our Splunk using a secure connection. I added the following to inputs.conf located in system/local. [tcp-ssl:6514] sourcetype = syslog index=syslog disabled = 0 [SSL] privKeyPath = /opt/splunk/etc/auth/splunkweb/2024/splprkey.key serverCert = /opt/splunk/etc/auth/splunkweb/2024/prcert.pem requireClientCert = false After a restart ,I used openssl to test the connection. Port 8000 worked normally as expected; the certificate was returned and I could see the TLS negotiation in Wireshark The openssl connection to port 6154 did not work . A connection was made and openssl did send a "Client Hello" which was visible in Wireshark, but other than an ACK the Splunk server never sent anything further. Based on an article I read, I also copied the certificate path to the server.conf file, but that didn't change anything. What am I missing? Is it incorrect to assume the same cert could be used for different ports? Any assistance appreciated! Thanks,
... View more
Labels
- Labels:
-
inputs.conf
03-03-2024
06:38 PM
I couldn't get "cird_address=remoteIP ."/32"" to work in my search. I created a more simple search and it worked fine. Your suggestion was correct. I need to do more work on my search. Thanks for your help! Peter
... View more
03-03-2024
06:04 PM
Yes I tried the .(dot) | eval cird_address=remoteIP ./32 Error in 'EvalCommand': The expression is malformed. An unexpected character is reached at '/32'. | eval cird_address=remoteIP ."/32" This one does NOT show an error, but i get no results. Maybe there is something farther down in the search that's not correct. I check that and respond again. Thanks for your sugestion
... View more
03-03-2024
04:01 PM
Hello, I am running a search that is returning IP addresses that are being sent to a waf (web access firewall). The waf requires all IP addresses to be written in CIDR notation. I am just returning single IPs ,so I have to add a /32 to each address that I submit. I am using the stats command, looking at different parameters and them counting by IP to provide the list I am submitting. It seems like it should be straight forward using concatenation, but I haven't been able to get to a solution. eval cidr_address=remoteIP + "/32" and varieties of this approach(casting to string etc) haven't worked. Appreciate any help anyone can provide.
... View more
- Tags:
- cidr
Labels
- Labels:
-
stats
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
04-10-2025
12:24 PM
|
