I'm setting up a Splunk Indexer (Splunk Enterprise 6.4.1) on CentOS 6.8 64-bit. I do have the Splunk Add-on for Microsoft Windows installed on the indexer.
My (/opt/splunk/etc/system/local/)inputs.conf (owned by root.root, 600 permissions):
[default]
host = splunkidx
[splunktcp-ssl:9997]
disabled = 0
queueSize = 1000
[SSL]
password = <>
requireClientCert = false
rootCA = /opt/splunk/etc/auth/ssocerts/FACE-CA-root.pem
serverCert = /opt/splunk/etc/auth/ssocerts/splunkidx-idx.pem
sslVersions = tls, =tls1.0
I'm trying to receive data from Windows 7 64-bit Universal Forwarder.
My (C:\Program Files\SplunkUniversalForwarder\etc\system\local\)outputs.conf (default permissions and ownership):
[tcpout]
defaultGroup = default-autolb-group
maxQueueSize = 1000
[tcpout:default-autolb-group]
server = 192.168.58.11:9997
sslCertPath = etc\auth\ssocerts\splunk-forwarder-agent.pem
sslPassword = <>
sslRootCAPath = etc\auth\ssocerts\FACE-CA-root.pem
sslVerifyServerCert = true
sslCommonNameToCheck = splunkidx.<>
The Splunk Indexer starts fine. I can even enable the web interface and access it.
The Splunk Forwarder starts fine. No errors during startup.
When the Forwarder has finished starting and begins attempting to contact the indexer, I see the following log information.
My (C:\Program Files\SplunkUniversalForwarder\var\log\splunk\)splunkd.log:
07-27-2016 07:30:44.060 -0600 ERROR TcpOutputFd - Read error. An established connection was aborted by the software in your host machine.
07-27-2016 07:31:14.074 -0600 ERROR TcpOutputFd - Read error. An existing connection was forcibly closed by the remote host.
This appears in random duplicate stanzas throughout the log until I kill splunkd.
On the Indexer, I see the following corresponding log entries.
My (/opt/splunk/var/log/splunk/)splunkd.log:
07-27-2016 08:30:39.697 -0600 ERROR TcpInputProc - Error encountered for connection from src=192.168.50.151:65251. error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
07-27-2016 08:31:09.697 -0600 ERROR TcpInputProc - Error encountered for connection from src=192.168.50.151:65252. error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
Since I don't have enough forum points, I can't post links here, but I've verified settings and suggestions posted in other answers on this forum...specifically:
- The server.conf is configured with:
...
[sslConfig]
sslKeysfilePassword = <>
useClientSSLCompression = true
...
The version of OpenSSL on the forwarder is: OpenSSL 1.0.2h-fips 3 May 2016
The version of OpenSSL on the indexer is: openssl 1.0.1e
I have appended the server keys to the server cert in a new file, and that's what I'm using in the above configurations.
At this point I'm entirely out of ideas, but I really need to get these Windows systems talking to Splunk Enterprise! Your advice is greatly appreciated!!
↧