Solved

Editing Splunk input and output.conf files

Posted on 2016-09-15
4
60 Views
Last Modified: 2016-10-17
i need to redirect the input and output.conf files for my workstations so it see my current splunk server. which is the correct location of the file?

C:\Program Files\SplunkUniversalForwarder\etc\system\local

or

C:\Program Files\SplunkUniversalForwarder\etc\system\default
0
Comment
Question by:NxJNY
  • 3
4 Comments
 
LVL 63

Accepted Solution

by:
btan earned 500 total points (awarded by participants)
ID: 41814250
Change the local, not the default.

Configuration files are stored in:

Default files (Do not edit these preconfigured files.): $SPLUNK_HOME/etc/system/default

Editable local files: $SPLUNK_HOME/etc/system/local

App files: $SPLUNK_HOME/etc/apps/

Splunk Enterprise and apps write configuration settings into configuration files.

 You can configure settings and processes by editing stanzas within copies of the default configuration files.
http://docs.splunk.com/Splexicon:Configurationfile


You should leave the default intact - No change.

http://docs.splunk.com/Documentation/Forwarder/6.4.3/Forwarder/Configuretheuniversalforwarder

For e.g. to note
Default versions of outputs.conf

The universal forwarder ships with these default versions of outputs.conf:

 One in $SPLUNK_HOME/etc/system/default.

 Another in $SPLUNK_HOME/etc/apps/SplunkUniversalForwarder/default.

The default version in the SplunkUniversalForwarder app has precedence over the version under /etc/system/default.

Do not edit default versions of any configuration files
0
 
LVL 2

Author Comment

by:NxJNY
ID: 41820327
i am getting this error when i log into splunk. does this mean the servers cert expired or my splunk cert expired

09-28-2016 13:03:58.540 -0400 ERROR TcpInputProc - Error encountered for connection from src=192.100.1.25:0195. error:14094415:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate expired
0
 
LVL 63

Assisted Solution

by:btan
btan earned 500 total points (awarded by participants)
ID: 41820904
It is an issue of certificate expiration.

Splunk default SSL certificate is valid for three years. So, when Splunk InputTcpProc validates a SSL certificate, it recognized it as invalid certificate. As default, Splunk initial installation generate "three" years valid certificates.

http://docs.splunk.com/Documentation/Splunk/6.0/Security/ConfigureSplunkforwardingtousesignedcertificates

Unless the rootCA has expired, you only need a new server certificate. Use splunk createssl server-cert to create a new one certificate to replace the one you are using.
0
 
LVL 63

Expert Comment

by:btan
ID: 41846301
As per advice.
0

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Get to know the ins and outs of building a web-based ERP system for your enterprise. Development timeline, technology, and costs outlined.
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question