Deployment Architecture

How to connect Search Head Cluster members to Indexers Cluster Master?

siemteam
Explorer

After check some different questions about this I cannot find a solution.

I'm trying to point my search head cluster to my indexers cluster using Cluster Master but when I use the following command on a SH Cluster member:

/opt/splunk/bin/splunk edit cluster-config -mode searchhead -master_uri https://cmserver:8089 -secret myKey

I recieve the following error message:

Could not contact master. Check that the master is up, the master_uri=https://cmserver:8089 and secret are specified correctly

splunkd.log on cluster master:

01-21-2019 18:25:15.530 +0100 ERROR DigestProcessor - Failed signature match
01-21-2019 18:25:15.531 +0100 ERROR LMHttpUtil - Failed to verify HMAC signature, uri: /services/cluster/master/info

I think that pass4SymmKey is equal on both servers, but how can I check it?

Thanks

Labels (2)

Marco-IT
Path Finder

Hi @siemteam , did you solve the issue related to following messages?

01-21-2019 18:25:15.530 +0100 ERROR DigestProcessor - Failed signature match
01-21-2019 18:25:15.531 +0100 ERROR LMHttpUtil - Failed to verify HMAC signature, uri: /services/cluster/master/info

0 Karma

dkeck
Influencer

HI,

you can decrypt passwords like that :

https://www.hurricanelabs.com/splunk-tutorials/make-splunk-do-it-how-to-decrypt-passwords-encrypted-...

sounds like they have different secrets files

0 Karma

siemteam
Explorer

I'm not able to connect any search head cluster member to cluster master, instead of decrypt the passowrd (I haven't got other server to follow the process) I'm typing the password again in plain text at each server on /local/server.conf under [clustering] stanza but continue happening the same.

Any idea?

Thanks again

0 Karma

dkeck
Influencer

Did you try it via UI?

0 Karma

siemteam
Explorer

I cannot find steps to do it using UI, could you provide me a link please?

Thanks

0 Karma

dkeck
Influencer
0 Karma

siemteam
Explorer

At the end you can read the following:

If you want to deploy a search head cluster, so that the search heads share configurations and jobs, see the additional configuration instructions in the topic "Integrate the search head cluster with an indexer cluster" in the Distributed Search manual.

Is the case that I have, I'm trying to connect the members of the cluster.

0 Karma

dkeck
Influencer
0 Karma

siemteam
Explorer

Yes, Is the procedure that I'm following but at the moment of link to cluster master is not possible, I'm modifying the pass4SymmKey on each server but it's not working

0 Karma

siemteam
Explorer

Thanks for the answer, I'm going to check the way to decrypt password.

When you talk about secrets file I undestand that the file /opt/splunk/etc/auth/splunk.secret, right?

What does this file exactly contains? is generated taking pass4SimmKey or it's different?

On the same folder I can find splunk.secret.oldKey and splunk.secret.oldKey.orig (maybe I generated these files indirectly trying to solve the issue)

Thank you so much

0 Karma

dkeck
Influencer

yes, I am talking about the splunk.secret. Its used to hash the passwords you enter for pass4Symmkey.

I am not sure but this splunk.secret.oldKey does not sound like something that happens done by splunk. Maybe someone just changed this file on your server?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...