![]() Then, you can use deployment server to push down different app with new SSL certs when the time comes. Because it starts with "zzz" it will be matched as a last resort. Name your defaults app zzzSystemLocalReplacement. You'll have to be careful with naming them because of settings precedence, but crafted correctly, you can create your own defaults that live in apps and have system/local completely empty. I took advantage of this and created few apps that get copy/pasted alongside the install. If splunk finds nf in one of the apps BEFORE fist launch (hence the importance of LAUNCHSPLUNK=0), it will NOT create system\local\nf. This way, neither your priv key nor cleartext password is ever revealed to whoever runs the installer script. This gives you opportunity to replace cret with your own (known) version and copy/paste your encrypted sslPassword. ![]() You'll want to stop splunk from launching with LAUNCHSPLUNK=0 so that system\local\nf isn't generated yet. My preferred method is to give installer CERTFILE=C:\temp\server.pem with encrypted priv key and omitting CERTPASSWORD entirely. don't provide installer with CERTPASSWORD and swap the encrypted sslPassword in local\nf for your cleartext password (it will be encrypted on next restart).Server.pem will need to have its priv key encrypted with "password" (because reasons) do not provide installer with CERTPASSWORD flag at all.Server.pem needs to have its priv key encrypted with super_secret_pw provide installer with CERTPASSWORD=super_secret_pw.Passwords is where this gets interesting. ![]() If they are called server.pem and cacert.pem respectively, they will overwrite the default splunk-generated ones. CERTFILE=C:\temp\server.pem ROOTCACERTFILE=C:\temp\cacert.pem. If your source files are in C:\temp for example, use: msiexec.exe /i splunkforwarder. If you name the files exactly like Splunk does, it will work. I understand this method does not work, as the configuration in $SPLUNK_HOME\etc\system\local\nf will replace any configuration done in the app.Ī) What is the best way to configure Splunk Universal Forwarders to use a self-signed certificate for splunkd during installation?ī) What is the best way to configure Splunk Universal Forwarders to use a self-signed certificate for splunkd after installation? ServerCert = $SPLUNK_HOME\etc\apps\ssl_app\cert\.pem However, after installation, it still uses the default Splunk certificate in $SPLUNK_HOME\etc\system\local\nf.Ģ) Deploy an app containing nf to the deployment clients This method will install Splunk Universal Forwarder, and add the certificate into $SPLUNK_HOME\etc\auth. You can ensure that only the files with filenames ending with “.log” is sent to Splunk by adding a whitelist in your forwarders would like to secure splunkd (port 8089) on Splunk Universal Forwarders by using a throwaway self-signed certificate.ġ) Using msiexec to install Splunk Universal Forwarder, and also include the throwaway certificate for the forwarders msiexec.exe /i splunkforwarder-.msi DEPLOYMENT_SERVER=":8089" AGREETOLICENSE=Yes CERTFILE=.pem CERTPASSWORD= /quiet Linux : Default path is “/opt/sap/scc/log” Windows : Default Path is “c:\SAP\SCC\scc20\log” Please note that your installation folder may be different from the default You can find such logs in the location below by default. There could be many logs of interest in terms for SCC to push to Splunk. You can find more information about the configuration files in the link Our suggestion is to create a local app on the universal forwarder and configure nf and nf in that app context. The base configuration for the universal forwarder has predefined inputs for the relevant operating system but can be configured.Īdditional inputs can be configured in the /local/nf file - specific files/folders can be defined - see /default/nf for inspiration. Once you have the right version of the universal forwarder downloaded, you can follow the instruction in the link to install the universal forwarder on the host machine. You might have to login to Splunk or create a new user before you are able to download the universal forwarder. ) and is able to read files in real-time and send them through to Splunk.ĭownload the version of the Universal forwarder that is appropriate for the Operating system using the link. This is installed on the operating system ( Windows, Unix, etc. One popular option is Splunk’s offering of an agent-based collector called the Universal Forwarder. In this knowledge base article, we will explore a way to get SCC onboard Splunk. Though SAP SCC ( SAP Cloud Connector ) is currently not supported by PowerConnect ( More information here ), there are many ways to get this data onto Splunk.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |