Solved

Editing Splunk input and output.conf files

Posted on 2016-09-15
4
53 Views
Last Modified: 2016-10-17
i need to redirect the input and output.conf files for my workstations so it see my current splunk server. which is the correct location of the file?

C:\Program Files\SplunkUniversalForwarder\etc\system\local

or

C:\Program Files\SplunkUniversalForwarder\etc\system\default
0
Comment
Question by:NxJNY
  • 3
4 Comments
 
LVL 63

Accepted Solution

by:
btan earned 500 total points (awarded by participants)
ID: 41814250
Change the local, not the default.

Configuration files are stored in:

Default files (Do not edit these preconfigured files.): $SPLUNK_HOME/etc/system/default

Editable local files: $SPLUNK_HOME/etc/system/local

App files: $SPLUNK_HOME/etc/apps/

Splunk Enterprise and apps write configuration settings into configuration files.

 You can configure settings and processes by editing stanzas within copies of the default configuration files.
http://docs.splunk.com/Splexicon:Configurationfile


You should leave the default intact - No change.

http://docs.splunk.com/Documentation/Forwarder/6.4.3/Forwarder/Configuretheuniversalforwarder

For e.g. to note
Default versions of outputs.conf

The universal forwarder ships with these default versions of outputs.conf:

 One in $SPLUNK_HOME/etc/system/default.

 Another in $SPLUNK_HOME/etc/apps/SplunkUniversalForwarder/default.

The default version in the SplunkUniversalForwarder app has precedence over the version under /etc/system/default.

Do not edit default versions of any configuration files
0
 
LVL 2

Author Comment

by:NxJNY
ID: 41820327
i am getting this error when i log into splunk. does this mean the servers cert expired or my splunk cert expired

09-28-2016 13:03:58.540 -0400 ERROR TcpInputProc - Error encountered for connection from src=192.100.1.25:0195. error:14094415:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate expired
0
 
LVL 63

Assisted Solution

by:btan
btan earned 500 total points (awarded by participants)
ID: 41820904
It is an issue of certificate expiration.

Splunk default SSL certificate is valid for three years. So, when Splunk InputTcpProc validates a SSL certificate, it recognized it as invalid certificate. As default, Splunk initial installation generate "three" years valid certificates.

http://docs.splunk.com/Documentation/Splunk/6.0/Security/ConfigureSplunkforwardingtousesignedcertificates

Unless the rootCA has expired, you only need a new server certificate. Use splunk createssl server-cert to create a new one certificate to replace the one you are using.
0
 
LVL 63

Expert Comment

by:btan
ID: 41846301
As per advice.
0

Featured Post

NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Both MMF (multi-mode fiber) and SMF (single-mode fiber) are types of optical fiber that can aid in communication applications. These thin strands of silica or glass will allow communication to occur between devices. The transmission of light between…
Note: This is the second blog post in a series on email clearinghouses (https://www.xmatters.com/alert-management/blog-email-has-failed-us?utm_campaign=70138000000ydLoAAI&utm_source=exex&utm_medium=article&utm_content=blog-post).   Every month t…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

860 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question