Distribute certificates to your search peers
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Distribute certificates to your search peers
When you enable distributed search on a Splunk instance (and restarting), keys are generated in $SPLUNK_HOME/etc/auth/distServerKeys/
Distribute the files $SPLUNK_HOME/etc/auth/distServerKeys/trusted.pem and private.pem from one host to the others which will participate in distributed search.
Support for different keys from multiple Splunk instances
Any number of Splunk instances can have their own unique certificates stored on other instances for authentication.
The instances can store keys in $SPLUNK_HOME/etc/auth/distSearchKeys/<peer_name>/<trusted|private>.pem
For example: if you have Splunk instances A and B and they both have different keys and want to search Splunk instance C, do the following:
- On peer C, create
$SPLUNK_HOME/etc/auth/distSearchKeys/A/andetc/auth/distSearchKeys/B/. - Then, copy A's keys to
$SPLUNK_HOME/etc/auth/distSearchKeys/A/and B's keys to$SPLUNK_HOME/etc/auth/distSearchKeys/B/<code/>. - Finally, restart C.
If you are having problems determining the appropriate configuration for the inputs.conf and outputs.conf, feel free to check out this forum posting. In general, the sharing of keys through Splunk Web has a high level of success.
This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6 , 4.0.7 , 4.0.8 , 4.0.9 , 4.0.10 , 4.0.11 View the Article History for its revisions.