I've been trying to install an older version of the Splunk Forward on a Server 2016 R2 box with no luck. I'm pretty sure I have what is needed in the inputs.conf, outputs.conf, the server.pem file, and the cacert.pem file. Is there anything else I could be missing? I even restarted the splunk service and it's still not popping up. Not familiar with reading the Splunkd logs to see what could have gone wrong.
It looks like I forgot the deploymentclient piece and a few other things as well. I have the box now showing in Splunk I'm just trying to ship logs to it now and that doesn't seem to be working now! Oh what a process! I'll open a new thread for that.
I actually found some things on our main splunk server which is likely why this isn't working:
04-21-2017 10:42:23.281 -0400 WARN SSLCommon - Received fatal SSL3 alert. ssl_state='SSLv3 read client key exchange A', alert_description='certificate expired'.
04-21-2017 10:42:23.281 -0400 ERROR TcpInputProc - Error encountered for connection from src=172.16.X.X:56238. error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired
*I put the X.X in
Do you know which cert this is referring to?
Sorry I meant to say Windows Server 2016 Server Core - still unsupported? I think the install went through it's just that it's not popping up. I was doing this as a test. We will be upgrading our forwarders that are currently at 6.4.1 and I wanted to test Ansible plays. Do you suggest maybe I try spinning up another Windows Server that isn't 2016? Thanks!
My 6.5.2 install on my 2016 server with GUI works pretty well, but I'm only collecting basic Windows TA information at the moment.
6.5.4 will add support for 2016 server in late May.