
Troubleshoot your forwarder to indexer authentication
1. Test your certificates:
openssl s_client -connect {server}:{port} Port 8000, 8060, 8089, 9998, etc.
A good certificate will return the following or something similar:
Verify return code: 0 (ok)
2. Check $SPLUNK_HOME/var/log/splunk/splunkd.log
(indexer and forwarder) for errors. On the indexer, check for the messages from the TCP input processor TcpInputProc
. On the forwarder, check the messages from the TCP output processor TcpOutputProc
.
3. Increase the logging level of the appropriate processors on the indexer and the forwarder in $SPLUNK_HOME/etc/log.cfg
.
On the forwarder, set category.TcpOutputProc=DEBUG
, on the indexer set category.TcpInputProc=DEBUG
.
4. Restart Splunk Enterprise for these to take effect and observe the start-up sequence for the pertinent component. Most configuration issues are explicitly revealed by this method.
5. Check the SSL configuration using btool
as follows:
On the indexer :
On the forwarder :
Common problems
- The path to the server certificate file set as the value of
serverCert
in inputs.conf is wrong, or the file cannot be read. This will generate the following error :
- The password to the RSA private key contained in the server certificate file is wrong.
On *nix, you can manually test the password of the RSA key contained in the file with the comand:
On Windows, you can manually test the password of the RSA key using the following command:
PREVIOUS Validate your configuration |
NEXT About securing inter-Splunk communication |
This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 8.0.0
Feedback submitted, thanks!