Splunk® Enterprise

Securing Splunk Enterprise

Splunk Enterprise version 7.1 is no longer supported as of October 31, 2020. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk® Enterprise. For documentation on the most recent version, go to the latest release.

Troubleshoot your forwarder to indexer authentication

1. Test your certificates:

openssl s_client -connect {server}:{port}

Port 8000, 8060, 8089, 9998, etc.

A good certificate will return the following or something similar:

Verify return code: 0 (ok)

2. Check $SPLUNK_HOME/var/log/splunk/splunkd.log (indexer and forwarder) for errors. On the indexer, check for the messages from the TCP input processor TcpInputProc. On the forwarder, check the messages from the TCP output processor TcpOutputProc.

3. Increase the logging level of the appropriate processors on the indexer and the forwarder in $SPLUNK_HOME/etc/log.cfg.

On the forwarder, set category.TcpOutputProc=DEBUG, on the indexer set category.TcpInputProc=DEBUG.

4. Restart Splunk Enterprise for these to take effect and observe the start-up sequence for the pertinent component. Most configuration issues are explicitly revealed by this method.

5. Check the SSL configuration using btool as follows:

On the indexer :

$SPLUNK_HOME/bin/splunk cmd btool inputs list --debug

On the forwarder :

$SPLUNK_HOME/bin/splunk cmd btool outputs list --debug

Common problems

  • The path to the server certificate file set as the value of serverCert in inputs.conf is wrong, or the file cannot be read. This will generate the following error :
12-16-2010 16:07:30.965 ERROR SSLCommon - Can't read certificate file /opt/splunk/etc/auth/server.pem errno=33558530 error:02001002:system library:fopen:No such file or directory
  • The password to the RSA private key contained in the server certificate file is wrong.
12-07-2010 07:56:45.663 ERROR SSLCommon - Can't read key file /opt/splunk/etc/auth/server.pem

On *nix, you can manually test the password of the RSA key contained in the file with the comand:

# openssl rsa -in /opt/splunk/etc/auth/server.pem -text

On Windows, you can manually test the password of the RSA key using the following command:

>openssl.exe rsa -in "c:\Program Files\Splunk\etc\auth\server.pem" -text
Last modified on 13 June, 2022
 

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters