
Troubleshoot your forwarder to indexer authentication
1. Test your certificates:
openssl s_client -connect {server}:{port} Port 8000, 8060, 8089, 9998, etc.
A good certificate will return the following or something similar:
Verify return code: 0 (ok)
2. Check $SPLUNK_HOME/var/log/splunk/splunkd.log
(indexer and forwarder) for errors. On the indexer, check for the messages from the TCP input processor TcpInputProc
. On the forwarder, check the messages from the TCP output processor TcpOutputProc
.
3. Increase the logging level of the appropriate processors on the indexer and the forwarder in $SPLUNK_HOME/etc/log.cfg
.
On the forwarder, set category.TcpOutputProc=DEBUG
, on the indexer set category.TcpInputProc=DEBUG
.
4. Restart Splunk Enterprise for these to take effect and observe the start-up sequence for the pertinent component. Most configuration issues are explicitly revealed by this method.
5. Check the SSL configuration using btool
as follows:
On the indexer :
On the forwarder :
Common problems
- The path to the server certificate file set as the value of
serverCert
in inputs.conf is wrong, or the file cannot be read. This will generate the following error :
- The password to the RSA private key contained in the server certificate file is wrong.
On *nix, you can manually test the password of the RSA key contained in the file with the comand:
On Windows, you can manually test the password of the RSA key using the following command:
PREVIOUS Validate your configuration |
NEXT About securing inter-Splunk communication |
This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.1.0, 8.1.1, 8.1.2, 8.1.3
Feedback submitted, thanks!