We've been trying to get the Splunk Universal Forwarder for Windows (v6.3.0) to work on a Windows 2008 R2 server and we consistently get the following error.
TcpInputConfig - SSL clause not found or servercert not provided - SSL ports will not be available
We turned on debug logs and saw a little more detail but we're still having issues.
02-15-2016 12:42:55.522 -0600 DEBUG TcpOutputProc - Found group : splunkssl
02-15-2016 12:42:55.522 -0600 DEBUG TcpOutputProc - confifuring ssl for cert path :D:/Program Files/SplunkUniversalForwarder/etc/auth/server.pem
02-15-2016 12:42:55.522 -0600 INFO TcpOutputProc - tcpout group splunkssl using Auto load balanced forwarding
02-15-2016 12:42:55.522 -0600 INFO TcpOutputProc - Group splunkssl initialized with maxQueueSize=512000 in bytes.
First, we've tried all sorts of iterations for the .pem file paths in the outputs.conf file. (We are using the `D:\Program Files\SplunkUniversalForwarder\etc\system\local\outputs.conf` file). This is what the current version looks like, but we've tried lots of different iterations. (quoted, unquoted, double backslash //)
[tcpout]
defaultGroup = splunkssl
[tcpout:splunkssl]
server = X.X.X.X:9997
sslRootCAPath = D:/Program Files/SplunkUniversalForwarder/etc/auth/cacert.pem
sslCertPath = D:/Program Files/SplunkUniversalForwarder/etc/auth/server.pem
sslPassword = {encrypted text removed}
sslVerifyServerCert = true
We are using self-signed certificates, but we found that we had to rename them to cacert.pem and server.pem or else we generated a completely different error.
02-15-2016 10:01:50.425 -0600 ERROR SSLCommon - Can't read key file D:\Program Files\SplunkUniversalForwarder\etc\auth\server.pem errno=101077092 error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt.
I expect that someone has this working. Any Windows-specific recommendations?
↧