
Validate your configuration
To verify your SSL connections in Splunk Web, try the following command:
index=_internal source=*metrics.log* group=tcpin_connections | dedup hostname | table _time hostname version sourceIp destPort ssl
You can also splunkd.log
to validate and troubleshoot your configuration. Splunkd.log is located on your indexer and forwarder at $SPLUNK_HOME/var/log/splunk/splunkd.log
.
On the indexer, look for the following or similar messages at the start-up sequence to verify a successful connection:
02-06-2011 19:19:01.552 INFO TcpInputProc - using queueSize 1000 02-06-2011 19:19:01.552 INFO TcpInputProc - SSL cipherSuite=ALL:!aNULL:!eNULL:!LOW:!EXP: RC4+RSA:+HIGH:+MEDIUM 02-06-2011 19:19:01.552 INFO TcpInputProc - supporting SSL v2/v3 02-06-2011 19:19:01.555 INFO TcpInputProc - port 9997 is reserved for splunk 2 splunk (SSL) 02-06-2011 19:19:01.555 INFO TcpInputProc - Port 9997 is compressed 02-06-2011 19:19:01.556 INFO TcpInputProc - Registering metrics callback for: tcpin_connections
On the forwarder, look for the following or similar messages at the start-up sequence to verify a successful connection:
TcpOutputProc - Retrieving configuration from properties TcpOutputProc - Using SSL for server 10.1.12.112:9997, clientCert=/opt/splunk/etc/auth/server.pem TcpOutputProc - ALL Connections will use SSL with sslCipher= TcpOutputProc - initializing single connection with retry strategy for 10.1.12.112:9997
Below is how a successful connection might appear in splunkd.log on the indexer:
TcpInputProc - Connection in cooked mode from 10.1.12.111 TcpInputProc - Valid signature found TcpInputProc - Connection accepted from 10.1.12.111
Below is how a successful connection might appear in splunkd.log on the forwarder:
TcpOutputProc - attempting to connect to 10.1.12.112:9997... TcpOutputProc - Connected to 10.1.12.112:9997
You can also check metrics.log for something similar to the following:
index=_internal host=heavy hostname=universal | stats last(connectionType) as connectionType
For help troubleshooting your configuration issues, see Troubleshoot your forwarder to indexer configuration in this manual.
PREVIOUS Configure Splunk forwarding to use your own certificates |
NEXT Troubleshoot your forwarder to indexer authentication |
This documentation applies to the following versions of Splunk® Enterprise: 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 8.0.0, 8.0.1
Feedback submitted, thanks!