http://www.splunk.com/support/forum:SplunkAdministration/3866 Mon, 13 Feb 2012 17:33:51 PST Mon, 13 Feb 2012 17:33:51 PST en-us http://creativecommons.org/licenses/by-nc-nd/2.5/ http://www.splunk.com/support/forum:SplunkAdministration/3866/12851 <p>Hi</p> <p>I have forwarding and receiving working fine now until I try to encrypt the forwarding connection with SSL</p> <p>Following this link <a href="http://www.splunk.com/base/Documentation/4.0.8/Admin/UseSSLencryptionbetweenforwardersandreceivers?r=searchtip">http://www.splunk.com/base/Documentation/4.0.8/Admin/UseSSLencryptionbetweenforwardersandreceivers?r=searchtip</a></p> <p>I have the following setup</p> <p>On the <a class="wiki_url_new" href="/base/SplunkLightForwarder">SplunkLightForwarder</a></p> <p>Working without SSL on the Forwarder /opt/splunk/etc/apps/<a class="wiki_url_new" href="/base/SplunkLightForwarder">SplunkLightForwarder</a>/local/inputs.conf</p> <p>[default]<br /> index = devidx<br /> host = rhdev<br /> _rcvbuf = 1572864</p> <p>[monitor:<em>var/log/*.log]<br /> disabled = false<br /> blacklist = gz<br /> _TCP_ROUTING = *</p> <p>Working without SSL on the Forwarder /opt/splunk/etc/apps/<a class="wiki_url_new" href="/base/SplunkLightForwarder">SplunkLightForwarder</a>/local/outputs.conf</p> <p>[tcpout]<br /> defaultGroup = devserver_29997<br /> disabled = false<br /> maxQueueSize = 1000</p> <p>[tcpout:devserver_29997]<br /> server = devserver:29997</p> <p>Working without SSL on the Receiver /opt/splunk/etc/apps/search_new_app/local/inputs.conf</p> <p>[splunktcp:</em>29997]<br /> disabled = false<br /> _blacklist = gz<br /> index = devidx</p> <p>Then I set up encryption according to the link above and data stops getting to the devidx index.</p> <p>not working With SSL on the Forwarder /opt/splunk/etc/apps/<a class="wiki_url_new" href="/base/SplunkLightForwarder">SplunkLightForwarder</a>/local/outputs.conf</p> <p>[tcpout]<br /> defaultGroup = devserver_29997<br /> disabled = false<br /> maxQueueSize = 1000</p> <p>[tcpout:devserver_29997]<br /> server = devserver:29997</p> <p>[tcpout-server:<em>devserver:29997]<br /> sslCertPath=/opt/splunk/etc/auth/server.pem<br /> sslRootCAPath=/opt/splunk/etc/auth/cacert.pem<br /> sslPassword=password<br /> sslVerifyServerCert=false</p> <p>not working with SSL on the Receiver /opt/splunk/etc/apps/search_new_app/local/inputs.conf</p> <p>[splunktcp-ssl:</em>29997]<br /> index = devidx<br /> disabled = false<br /> _blacklist = gz</p> <p>not working with SSL on the Receiver /opt/splunk/etc/system/local/inputs.conf</p> <p>[default]<br /> host = devserver<br /> [SSL]<br /> serverCert=/opt/splunk/etc/auth/server.pem<br /> password=password<br /> rootCA=/opt/splunk/etc/auth/cacert.pem<br /> requireClientCert=false</p> <p>[splunktcp-ssl://29997]<br /> index = devidx</p> <p>here is the splunkd.log from the <a class="wiki_url_new" href="/base/SplunkLightforwarder">SplunkLightforwarder</a> on start up</p> <p>1-28-2010 11:52:44.722 INFO <a class="wiki_url_new" href="/base/TcpOutputProc">TcpOutputProc</a> - Retrieving configuration from properties<br /> 01-28-2010 11:52:44.725 INFO <a class="wiki_url_new" href="/base/TcpOutputProc">TcpOutputProc</a> - Will retry at max backoff sleep forever<br /> 01-28-2010 11:52:44.725 INFO <a class="wiki_url_new" href="/base/TcpOutputProc">TcpOutputProc</a> - Using SSL for server devserver:29997, sslCertPath=/opt/splunk/etc/auth/server.pem<br /> 01-28-2010 11:52:44.725 INFO <a class="wiki_url_new" href="/base/TcpOutputProc">TcpOutputProc</a> - ALL Connections will use SSL with sslCipher=<br /> 01-28-2010 11:52:44.726 INFO <a class="wiki_url_new" href="/base/TcpOutputProc">TcpOutputProc</a> - initializing single connection with retry strategy for devserver:29997<br /> 01-28-2010 11:52:44.732 INFO loader - Instantiated plugin: controlqueueoutputprocessor<br /> 01-28-2010 11:52:44.733 INFO loader - Instantiated plugin: deploymentprocessor<br /> 01-28-2010 11:52:44.734 INFO <a class="wiki_url_new" href="/base/TcpOutputProc">TcpOutputProc</a> - attempting to connect to devserver:29997...<br /> 01-28-2010 11:52:44.739 WARN <a class="wiki_url_new" href="/base/DeploymentClient">DeploymentClient</a> - <a class="wiki_url_new" href="/base/DeploymentClient">DeploymentClient</a> is disabled.<br /> 01-28-2010 11:52:44.745 WARN <a class="wiki_url_new" href="/base/ServerClassMgr">ServerClassMgr</a> - No valid configuration found for tenant: default<br /> 01-28-2010 11:52:44.745 WARN <a class="wiki_url_new" href="/base/TenantService">TenantService</a> - Unable to load server classes for DS: default<br /> 01-28-2010 11:52:44.750 WARN <a class="wiki_url_new" href="/base/ServerClassMgr">ServerClassMgr</a> - No valid configuration found for tenant: default<br /> 01-28-2010 11:52:44.750 WARN <a class="wiki_url_new" href="/base/TenantService">TenantService</a> - Unable to load server classes for DS: default<br /> 01-28-2010 11:52:44.751 INFO loader - Instantiated plugin: tailingprocessor<br /> 01-28-2010 11:52:44.951 INFO loader - Instantiated plugin: selectprocessor<br /> 01-28-2010 11:52:44.951 INFO loader - Instantiated plugin: queueoutputprocessor<br /> 01-28-2010 11:52:44.952 INFO loader - Instantiated plugin: archiveprocessor<br /> 01-28-2010 11:52:44.999 INFO loader - Instantiated plugin: queueoutputprocessor<br /> 01-28-2010 11:52:45.002 INFO loader - Instantiated plugin: execprocessor<br /> 01-28-2010 11:52:45.002 INFO loader - Instantiated plugin: queueoutputprocessor<br /> 01-28-2010 11:52:45.003 INFO loader - Instantiated plugin: fschangemanagerprocessor<br /> 01-28-2010 11:52:45.005 INFO loader - Running....<br /> 01-28-2010 11:52:45.006 WARN pipeline - Exiting pipeline scheduler gracefully: got eExit from processor <a class="wiki_url_new" href="/base/LiveSplunks">LiveSplunks</a><br /> 01-28-2010 11:52:45.009 WARN pipeline - Exiting pipeline distributedDeploymentNG gracefully: got eExit from processor distdeploymentNG<br /> 01-28-2010 11:52:45.010 INFO loader - Server supporting SSL v2/v3<br /> 01-28-2010 11:52:45.010 INFO loader - Using cipher suite ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM</p> <p>Is there anything obviously wrong?</p> <p>Cheers for helping guys.</p> Thu, 28 Jan 2010 03:03:39 PST splunkles99 http://www.splunk.com/support/forum:SplunkAdministration/3866/12851 http://www.splunk.com/support/forum:SplunkAdministration/3866/12796 <p>Not sure if i's a bug or not but I was configuring the tcp port vi a the data inputs link on the mgmt links on the receiver - just did it through the set up Forwarders and Receivers tab instead and it worked straight away.</p> Mon, 25 Jan 2010 08:17:31 PST splunkles99 http://www.splunk.com/support/forum:SplunkAdministration/3866/12796 http://www.splunk.com/support/forum:SplunkAdministration/3866/12711 <p>you have an incorrect listening port configuraiton. You are using</p> <p>[tcp:<em>1234]</p> <p>instead of</p> <p>[splunktcp:</em>1234]</p> Tue, 19 Jan 2010 20:20:12 PST gkanapathy http://www.splunk.com/support/forum:SplunkAdministration/3866/12711 http://www.splunk.com/support/forum:SplunkAdministration/3866/12669 <p>does the system/local/inputs.conf override /<a class="wiki_url_new" href="/base/SplunLightForwarder">SplunLightForwarder</a>/local/inputs.conf?</p> Mon, 18 Jan 2010 08:22:29 PST splunkles99 http://www.splunk.com/support/forum:SplunkAdministration/3866/12669 http://www.splunk.com/support/forum:SplunkAdministration/3866/12668 <p>if I search using</p> <p>index=&quot;main&quot; source=&quot;tcp:7772&quot;</p> <p>then I get the same data displayed so it looks like all the data is going straight to the main index rather than the one I specify in the inputs.conf on the forwarder</p> Mon, 18 Jan 2010 08:12:35 PST splunkles99 http://www.splunk.com/support/forum:SplunkAdministration/3866/12668 http://www.splunk.com/support/forum:SplunkAdministration/3866/12667 <p>If I go to the launcher app and select port 7772 I see current data and the search in the search bar says source=&quot;tcp:7772&quot; but it's not populating the devidx index.</p> Mon, 18 Jan 2010 08:10:09 PST splunkles99 http://www.splunk.com/support/forum:SplunkAdministration/3866/12667 http://www.splunk.com/support/forum:SplunkAdministration/3866/12666 <p>OK cheers can you see anything wrong with this?</p> <p>/opt/splunk/etc/apps/<a class="wiki_url_new" href="/base/SplunkLightForwarder">SplunkLightForwarder</a>/local/inputs.conf</p> <p>[monitor:<em>usr/local/apache2/logs]<br /> disabled = false<br /> host = redhatdev<br /> _TCP_ROUTING = *<br /> index = devidx</p> <p>/opt/splunk/etc/apps/<a class="wiki_url_new" href="/base/SplunkLightForwarder">SplunkLightForwarder</a>/local/outputs.conf</p> <p>[tcpout]<br /> defaultGroup = default-clone-group-localhost_7772<br /> disabled = false<br /> maxQueueSize = 1000<br /> [tcpout:default-clone-group-localhost_7772]<br /> server = localhost:7772</p> <p>[tcpout-server:</em>localhost:7772]</p> <p>my indexer is listening on tcp:7772 and there is an index called devidx but it has no data in it?</p> Mon, 18 Jan 2010 08:06:37 PST splunkles99 http://www.splunk.com/support/forum:SplunkAdministration/3866/12666 http://www.splunk.com/support/forum:SplunkAdministration/3866/12661 <p>You can set it on the forwarder via inputs.conf.</p> Mon, 18 Jan 2010 07:37:51 PST araitz http://www.splunk.com/support/forum:SplunkAdministration/3866/12661 http://www.splunk.com/support/forum:SplunkAdministration/3866/12660 <p>sorry for the typos - what I'm asking is where do I set the index = indexname and how do I map the data on the receiving port to an index?</p> Mon, 18 Jan 2010 07:36:03 PST splunkles99 http://www.splunk.com/support/forum:SplunkAdministration/3866/12660 http://www.splunk.com/support/forum:SplunkAdministration/3866/12659 <p>Hi Guys</p> <p>I have an issue where I can set up a splunklightforwarder to forward data to a reciever and I can see the tcp port and data on the reciever but how can I route the data on the reciever to a specific index?</p> <p>I have created an index but it has 0 dtat in it.</p> <p>Do i se tthe index = &quot;indexname&quot; in the inputs.conf on the forwarder or do I have to create a new application on the receiver and put it in the appname/local/input.conf?</p> <p>Thanks for your help.</p> Mon, 18 Jan 2010 07:31:15 PST splunkles99 http://www.splunk.com/support/forum:SplunkAdministration/3866/12659