Splunk® Secure Gateway

Administer Splunk Secure Gateway

Splunk Secure Gateway is a default enabled application that's included in Splunk Cloud version 8.1.2103 and Splunk Enterprise version 8.1.0 and higher. An admin must agree to the opt-in notice before using Splunk Secure Gateway. See Get started with Splunk Secure Gateway to get started.

Troubleshoot Splunk Secure Gateway network connection issues

If you're experiencing network connection issues, make sure that your Splunk Secure Gateway version is up to date and configure your network settings appropriately.

To check for network connection, you can try the following troubleshooting steps:

  1. Check for network connetion
  2. Test for wss connection
  3. Make sure you've configured your proxy correctly
  4. Search the Splunk Secure Gateway logs for errors

Check for network connection

The Splunk Secure Gateway app comes with a Secure Gateway Status dashboard that displays connection status, KV Store status, message requests, and more. Green color status indicates a connected state. View the Secure Gateway Status dashboard in the Splunk Secure Gateway Dashboards tab.

If Spacebridge is connected, the status dashboard looks like this:

Secure Gateway Status Dashboard

Or, you can manually check for connection by doing the following tests.

Verify the search head host has access to Spacebridge. Run the following command:

$ curl https://prod.spacebridge.spl.mobi/health_check

This response verifies that the search head host has access to Spacebridge:

Spacebridge Status: OK

If you're using a Windows system that does not include the curl command, type https://prod.spacebridge.spl.mobi/health_check in a web browser.

If you don't receive a Spacebridge Status: OK response when checking if the search head host has access to Spacebridge, or if the modular inputs aren't running, there might be an installation issue. See Troubleshoot Splunk Secure Gateway performance issues to check whether the modular inputs are running, and see Get Splunk Secure Gateway for installation information.

If Splunk Secure Gateway isn't loading, clear your browser cache, or use an incognito tab. Splunk Secure Gateway might not load because of cache conflicts.

Test for wss connection

Splunk Secure Gateway uses the WebSocket protocol to maintain communication between Spacebridge and your Splunk platform instance. Open port 443 outbound to prod.spacebridge.spl.mobi to allow the WebSocket connection.

To check if you have WebSocket connection, run the following curl command at the command line:

curl -i -N -H "Connection: Upgrade" -H "Upgrade: websocket" -H "Host: echo.websocket.events" -H "Origin: https://echo.websocket.events" -H "Sec-WebSocket-Key: d3d3LnNwbHVuay5jb20=" -H "Sec-WebSocket-Version: 13" https://echo.websocket.events

The expected result is the following:

HTTP/1.1 101 Switching Protocols
Connection: Upgrade
Upgrade: websocket
Sec-Websocket-Accept: s8sh/L5fxeyDfaeTGQj8NBegoIg=
Via: 1.1 vegur

�*echo.websocket.events sponsored by Lob.com

Proxies and firewalls might interrupt this connection. Adjust your proxy or firewall by doing the following steps:

  • Make sure you're using a compatible proxy server. See Use a proxy server with Splunk Secure Gateway for more information about using a proxy server with Splunk Secure Gateway.
  • If your proxy is running SSL decryption, it must support WebSockets or exempt prod.spacebridge.spl.mobi.

Make sure you've configured your proxy correctly

  1. Make sure you're using a compatible proxy. See Use a proxy server with Splunk Secure Gateway for more information about compatible proxies.
  2. If you're using a supported proxy, ensure that your proxy is acting as a true passthrough proxy and isn't stripping any HTTP headers.

Search the Splunk Secure Gateway logs for errors

Use the Search & Reporting app to search the Splunk Secure Gateway logs for errors.

Search for unusual errors

Search for unusual errors in the Search & Reporting app:

index=_internal source=*secure_gateway* ERROR AND NOT SUBSCRIPTION

Trace a specific request

Search for a specific request ID to trace a specific request:

index=_internal source=*secure_gateway* request_id

Then, copy and paste the request ID in the search bar:

index=_internal source=*secure_gateway* request_id=<your_id_here>

Export logs

Export the logs to further troubleshoot Splunk Secure Gateway. Export Splunk Secure Gateway logs as raw events so that you can use the "secure_gateway_app_internal_log" source type in your search.

Last modified on 12 January, 2022
Troubleshoot MDM   Troubleshoot Splunk Secure Gateway performance issues

This documentation applies to the following versions of Splunk® Secure Gateway: 2.4.0, 2.0.2, 2.5.6 Cloud Only, 2.5.7, 2.6.3 Cloud only, 2.7.3 Cloud only, 2.7.4, 2.8.4 Cloud only, 2.9.1 Cloud only, 2.9.3 Cloud only, 2.9.4 Cloud only, 3.0.9, 3.1.2 Cloud only, 3.2.0 Cloud only, 3.3.0 Cloud only, 3.4.251, 3.5.15 Cloud only

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters