cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
BRFZ
Communicator
Member since: ‎03-26-2024
Monday
Community Statistics
Posts 62
Solutions 0
Karma Given 26
Karma Received 1
Member Since ‎03-26-2024
Activity Feed
Topics I've Started
View All

Re: SSL/TLS Configuration on Splunk Forwarder (Win...

by in Getting Data In
3 weeks ago
3 weeks ago
Hello, @kiran_panchavat, @PickleRick , @livehybrid  Thank you for your responses; they were very helpful for me. However, I would like to know if you happen to know why I am getting ack set to false? ... View more

Re: SSL/TLS Configuration on Splunk Forwarder (Win...

by in Getting Data In
3 weeks ago
3 weeks ago
@kiran_panchavat, Thank you for your response. I reviewed the documentation, and I found the following phrase for configuring SSL on both indexers and forwarders (non-Windows): "On forwarders that do not run on Windows, open the server.conf configuration file for editing. Add the following stanza and settings to the file: [sslConfig] sslRootCAPath = <absolute path to the certificate authority certificate>" Based on this, it seems that the CA configuration is required only on non-Windows systems (Linux). Could you please confirm if this configuration is needed for Windows forwarders as well? Thank you for your help! ... View more

SSL/TLS Configuration on Splunk Forwarder (Windows...

by in Getting Data In
3 weeks ago
3 weeks ago
Hello, I’ve been reviewing the documentation for configuring SSL/TLS on a Splunk forwarder, but I couldn’t find the specific steps for setting it up on a Windows machine. Would anyone be able to provide the procedure or a link to the relevant documentation? Best regards, ... View more

Enterprise security app

by in Splunk Enterprise Security
4 weeks ago
4 weeks ago
Hello, I am currently working on configuring Splunk Enterprise Security app, I already have data flowing into Splunk Enterprise, but I'm not sure how to properly configure the data inputs for the app. Could anyone guide me on how to configure the data sources in Enterprise Security app ? If there is any specific documentation on this, I would appreciate it if you could provide it. ... View more

Splunk log retention

by in Splunk Enterprise
‎03-13-2025 03:53 AM
‎03-13-2025 03:53 AM
Hello, I would like to know if it possible to define the retention period for each type of log (Hot/Warm/Cold). For example, setting the total frozenTimePeriodInSecs to 3 years while specifying a 1 year retention period for each stage (Hot,Warm and Cold). Could you please clarify this? ... View more

Re: SSL Configuration Error

by in Splunk Enterprise
‎01-21-2025 05:13 AM
‎01-21-2025 05:13 AM
Hello, The configuration files contain the following: [sslConfig] enableSplunkdSSL = true sslPassword = value sslRootCAPath = /path/to/ca/cert serverCert = /path/to/srv/cert caTrustStore = splunk caTrustStorePath = path/to/trust/ca caPath = path/to/trust/c caCertFile = path/to./ca Yes, the connection was to the management port. The self-signed certificate was only for the web interface (and I have no issues regarding that). However, the problem lies between the components of the architecture. ... View more

Re: SSL Configuration Error

by in Splunk Enterprise
‎01-10-2025 02:49 AM
‎01-10-2025 02:49 AM
Hello, I ran the following command: curl -vk https://host:port and received this : *   Trying host:port... * Connected to host (host) port port (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * TLSv1.0 (OUT), TLS header, Certificate Status (22): * TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.2 (IN), TLS header, Certificate Status (22): * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS header, Certificate Status (22): * TLSv1.2 (IN), TLS handshake, Certificate (11): * TLSv1.2 (IN), TLS header, Certificate Status (22): * TLSv1.2 (IN), TLS handshake, Server key exchange (12): * TLSv1.2 (IN), TLS header, Certificate Status (22): * TLSv1.2 (IN), TLS handshake, Server finished (14): * TLSv1.2 (OUT), TLS header, Certificate Status (22): * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): * TLSv1.2 (OUT), TLS header, Finished (20): * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1): * TLSv1.2 (OUT), TLS header, Certificate Status (22): * TLSv1.2 (OUT), TLS handshake, Finished (20): * TLSv1.2 (IN), TLS header, Finished (20): * TLSv1.2 (IN), TLS header, Certificate Status (22): * TLSv1.2 (IN), TLS handshake, Finished (20): * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384 * ALPN, server did not agree to a protocol * Server certificate: *  subject: CN=*.example.com *  start date: Feb 19 15:15:40 2024 GMT *  expire date: Jan 19 14:02:43 2025 GMT *  issuer: C=*; ST=*; L=*; O=SSL Corporation; CN= *  SSL certificate verify result: self-signed certificate in certificate chain (19), continuing anyway. * TLSv1.2 (OUT), TLS header, Supplemental data (23): > GET / HTTP/1.1 > Host: host:port > User-Agent: curl/7.81.0 > Accept: */* > * TLSv1.2 (IN), TLS header, Supplemental data (23): * Mark bundle as not supporting multiuse < HTTP/1.1 200 OK < Date: Sun, 6 Jan 2025 08:30:21 GMT < Content-Type: text/xml; charset=UTF-8 < X-Content-Type-Options: nosniff < Content-Length: 1994 < Connection: Keep-Alive < X-Frame-Options: SAMEORIGIN < Server: Splunkd < * TLSv1.2 (IN), TLS header, Supplemental data (23): <?xml version="1.0" encoding="UTF-8"?> <!--This is to override browser formatting; see server.conf[httpServer] to disable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .--> <?xml-stylesheet type="text/xml" href="/static/atom.xsl"?>   <title>splunkd</title>   <updated>2025-01-06T09:30:21+01:00</updated>   <generator build="d8bb32809498" version="9.3.2"/>   <author>     <name>Splunk</name>   </author>   <entry>     <title>services</title>     <updated>1970-01-01T01:00:00+01:00</updated>     <link href="/services" rel="alternate"/>   </entry>   <entry>     <title>servicesNS</title>     <updated>1970-01-01T01:00:00+01:00</updated>     <link href="/servicesNS" rel="alternate"/>   </entry>   <entry>     <title>static</title>          <updated>1970-01-01T01:00:00+01:00</updated>     <link href="/static" rel="alternate"/>   </entry> </feed> * Connection #0 to host host left intact   For security reasons some fields have been removed/changed. ... View more

Re: SSL Configuration Error

by in Splunk Enterprise
‎01-09-2025 07:50 AM
‎01-09-2025 07:50 AM
Hello, In the first one I tested the OS's OpenSSL and with the command you mentioned, I get the following response: read:errno=0. ... View more

SSL Configuration Error

by in Splunk Enterprise
‎01-09-2025 02:39 AM
‎01-09-2025 02:39 AM
Hello SplunkCommunity, After configuring SSL, when I execute the following command: openssl s_client -showcerts -connect host:port I am encountering the following error: 803BEC33F07F0000:error:0A000126:SSL routines:ssl3_read_n:unexpected eof while reading:../ssl/record/rec_layer_s3.c:317: Could anyone help me understand why I am seeing this error and assist me in resolving it? Thank you in advance for your help. Best regards,   ... View more

Re: How to secure the Splunk platform with SSL

by in Deployment Architecture
‎01-02-2025 01:15 AM
‎01-02-2025 01:15 AM
Thank you so much for your help. I am pleased to share that I was able to resolve the initial issue by adjusting the PEM file. However, when I execute the command: openssl s_client -showcerts -connect hostname:port I get a connected status, but it ultimately results in the following error: 80FB2563307F0000:error:0A000126:SSL routines:ssl3_read_n:unexpected eof while reading:../ssl/record/rec_layer_s3.c:317: Additionally, another error is displayed: Verification error: self-signed certificate in certificate chain Your help would be greatly appreciated. ... View more

Re: How to secure the Splunk platform with SSL

by in Deployment Architecture
‎12-31-2024 01:28 AM
‎12-31-2024 01:28 AM
Here is the configuration file.  [sslConfig] enableSplunkdSSL = true sslRootCAPath = /opt/splunk/etc/auth/cert/CA.pem serverCert = /opt/splunk/etc/auth/cert/srv.pem For the PEM files, as mentioned earlier, they contain the 'BEGIN CERTIFICATE' and 'END CERTIFICATE' sections. ... View more

Re: How to secure the Splunk platform with SSL

by in Deployment Architecture
‎12-31-2024 12:58 AM
‎12-31-2024 12:58 AM
From what I understand, I need to combine the .pem file with the private key, and this combined file is what I should use in the configuration, correct ?  ... View more

Re: How to secure the Splunk platform with SSL

by in Deployment Architecture
‎12-31-2024 12:39 AM
‎12-31-2024 12:39 AM
The format of a .pem file is as follows:  -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- ... View more

Re: How to secure the Splunk platform with SSL

by in Deployment Architecture
‎12-30-2024 07:38 AM
‎12-30-2024 07:38 AM
Yes, I have verified it, and everything is correct. ... View more

Re: How to secure the Splunk platform with SSL

by in Deployment Architecture
‎12-30-2024 07:23 AM
‎12-30-2024 07:23 AM
Hi Dear Community, I am encountering the following error across all servers: SSLCommon - Can't read key file from /opt/splunk/etc/auth/CERT.pem ... View more

Re: How to secure the Splunk platform with SSL

by in Deployment Architecture
‎12-24-2024 05:53 AM
‎12-24-2024 05:53 AM
I have followed the configuration steps as outlined, but unfortunately, I have lost the connection between the components. I have applied the certificate configurations and other related settings in server.conf, including modifying the search peers to use HTTPS in distsearch.conf. I also modified the master license slave to use HTTPS, but I did not make any changes to the license master itself. Could you confirm if there are any specific configurations required on the master license? After applying the changes, the Server Manager has become extremely slow, and I can no longer access its web interface. Additionnaly, I lost connectivity between the components.  Is there someone who could help me with resolving this issue please? ... View more

KV Store Configuration in Distributed Deployment

by in Deployment Architecture
‎12-24-2024 05:42 AM
‎12-24-2024 05:42 AM
Hello Splunk Community, I am working on the configuration of a distributed Splunk deployment, and I need clarification regarding the KV Store. Could you please confirm where the KV Store should be configured in a distributed environment? Should it be enabled on the Search Heads, Indexers, or another component of the deployment? Any guidance on best practices would be greatly appreciated. Thank you for your help! Best regards, ... View more

Re: Deployment Server Clients

by in Splunk Enterprise
‎12-18-2024 02:50 AM
1 Karma
‎12-18-2024 02:50 AM
1 Karma
@richgalloway @PickleRick @isoutamo Thank you all for your responses. This information is very helpful for me to better understand this topic. ... View more

Re: How to secure the Splunk platform with SSL

by in Deployment Architecture
‎12-18-2024 02:30 AM
‎12-18-2024 02:30 AM
Thank you for your response and the provided documentation. I’ve already followed the steps, but encountered communication issues and I had to reset the configuration in order to restore connectivity. Could you please provide a more detailed procedure or tailored guidance for my case to help me securely configure TLS/SSL? ... View more

Deployment Server Clients

by in Splunk Enterprise
‎12-17-2024 03:03 AM
‎12-17-2024 03:03 AM
Hello, I know that it is necessary to do this for the forwarders but I would like to confirm whether it is necessary to add other components (such as indexers, search heads) as clients to our Deployment Server in Splunk environment. We currently have a Deployment Server set up, but we are unsure if registering the other instances as clients is a required step, or if any specific configurations need to be made for each type of component. Thank you in advance. Best regards, ... View more

Errors After Upgrading Splunk from 9.1.1 to Latest...

by in Splunk Enterprise
‎12-16-2024 07:25 AM
‎12-16-2024 07:25 AM
  Hi Splunk Community, I recently upgraded my Splunk environment from version 9.1.1 to the latest version. After the upgrade, I’m encountering errors when trying to restart Splunk across different components. For example, I get the following error: Invalid key in stanza [default] in /opt/splunk/etc/system/local/indexes.conf, line 132: archiver.enableDataArchive (value: false) It seems like some configuration keys are no longer valid in the updated version. Has anyone faced similar issues, and how can I resolve these errors to ensure my configurations are compatible with the latest Splunk version? Thanks in advance for your help! Best regards, ... View more

Splunk Enterprise Upgrade

by in Installation
‎11-28-2024 06:43 AM
‎11-28-2024 06:43 AM
Hello, I would like to confirm if it is possible to upgrade Splunk directly from version 9.1.1 to 9.3 on Linux, without going through version 9.2. Could you please clarify if this is supported and if there are any specific considerations for this process? Best regards, ... View more

Missing Internal Logs from Server

by in Monitoring Splunk
‎11-25-2024 07:48 AM
‎11-25-2024 07:48 AM
Hello, I have a server configured with three roles: Deployment Server, Console Monitoring, and License Master. However, I am not receiving the internal and audit logs from this server, such as logs from the Search Head or Indexers. If you have any solutions to this problem, I would greatly appreciate your help.   ... View more

Re: How to secure the Splunk platform with SSL

by in Deployment Architecture
‎11-12-2024 06:42 AM
‎11-12-2024 06:42 AM
Thank you @dural_yyz for your prompt response and for providing the documentation. However, I need further assistance regarding the SSL certificates that need to be generated for my Splunk environment. Could you please clarify whether I need to generate a separate certificate for each component (e.g., search head, indexers, forwarders, etc.)? Additionally, do I need to create different certificates for the various connections between these components? ... View more

How to secure the Splunk platform with SSL

by in Deployment Architecture
‎11-12-2024 05:21 AM
‎11-12-2024 05:21 AM
Hello, I have a distributed Splunk architecture with a single search head, two indexers, and management tier : License Master, Monitoring Console, and Deployment Server, in addition to the forwarders. SSL has already been configured for the web interfaces, but I would now like to secure the remaining components and establish SSL-encrypted connections between them as well. The certificates we are using are self-generated. Could you please guide me on how to proceed with securing all internal communications in this setup? Specifically, I would like to know if I should auto-generate a new certificate for each component and each connection or if there’s an efficient way to manage SSL across the entire environment. Thank you in advance for your help! ... View more
Contact Me
Online Status
Offline
Date Last Visited
Monday
Karma from
View All
Karma given to