Troubleshoot your forwarder to indexer authentication
1. Test your certificates:
openssl s_client -connect {server}:{port} Port 8000, 8060, 8089, 9998, etc.
A good certificate will return the following or something similar:
Verify return code: 0 (ok)
2. Check $SPLUNK_HOME/var/log/splunk/splunkd.log
(indexer and forwarder) for errors. On the indexer, check for the messages from the TCP input processor TcpInputProc
. On the forwarder, check the messages from the TCP output processor TcpOutputProc
.
3. Increase the logging level of the appropriate processors on the indexer and the forwarder in $SPLUNK_HOME/etc/log.cfg
.
On the forwarder, set category.TcpOutputProc=DEBUG
, on the indexer set category.TcpInputProc=DEBUG
.
4. Restart Splunk Enterprise for these to take effect and observe the start-up sequence for the pertinent component. Most configuration issues are explicitly revealed by this method.
5. Check the SSL configuration using btool
as follows:
On the indexer :
On the forwarder :
Common problems
- The path to the server certificate file set as the value of
serverCert
in inputs.conf is wrong, or the file cannot be read. This will generate the following error :
- The password to the RSA private key contained in the server certificate file is wrong.
On *nix, you can manually test the password of the RSA key contained in the file with the comand:
On Windows, you can manually test the password of the RSA key using the following command:
This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12
Feedback submitted, thanks!