Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 132
  • Last Modified:

Editing Splunk input and output.conf files

i need to redirect the input and output.conf files for my workstations so it see my current splunk server. which is the correct location of the file?

C:\Program Files\SplunkUniversalForwarder\etc\system\local

or

C:\Program Files\SplunkUniversalForwarder\etc\system\default
0
NxJNY
Asked:
NxJNY
  • 3
2 Solutions
 
btanExec ConsultantCommented:
Change the local, not the default.

Configuration files are stored in:

Default files (Do not edit these preconfigured files.): $SPLUNK_HOME/etc/system/default

Editable local files: $SPLUNK_HOME/etc/system/local

App files: $SPLUNK_HOME/etc/apps/

Splunk Enterprise and apps write configuration settings into configuration files.

 You can configure settings and processes by editing stanzas within copies of the default configuration files.
http://docs.splunk.com/Splexicon:Configurationfile


You should leave the default intact - No change.

http://docs.splunk.com/Documentation/Forwarder/6.4.3/Forwarder/Configuretheuniversalforwarder

For e.g. to note
Default versions of outputs.conf

The universal forwarder ships with these default versions of outputs.conf:

 One in $SPLUNK_HOME/etc/system/default.

 Another in $SPLUNK_HOME/etc/apps/SplunkUniversalForwarder/default.

The default version in the SplunkUniversalForwarder app has precedence over the version under /etc/system/default.

Do not edit default versions of any configuration files
0
 
NxJNYAuthor Commented:
i am getting this error when i log into splunk. does this mean the servers cert expired or my splunk cert expired

09-28-2016 13:03:58.540 -0400 ERROR TcpInputProc - Error encountered for connection from src=192.100.1.25:0195. error:14094415:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate expired
0
 
btanExec ConsultantCommented:
It is an issue of certificate expiration.

Splunk default SSL certificate is valid for three years. So, when Splunk InputTcpProc validates a SSL certificate, it recognized it as invalid certificate. As default, Splunk initial installation generate "three" years valid certificates.

http://docs.splunk.com/Documentation/Splunk/6.0/Security/ConfigureSplunkforwardingtousesignedcertificates

Unless the rootCA has expired, you only need a new server certificate. Use splunk createssl server-cert to create a new one certificate to replace the one you are using.
0
 
btanExec ConsultantCommented:
As per advice.
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now