Signed index data not showing up correctly with Splunk 4.2. Worked OK on 4.1.
With 4.1, I would be getting signed data at this point. If it didn't work, then the splunk.log would write out what the problem was. With my new 4.2 setup, I'm getting a "Could not validate this source..." message in the interface instead. While the message recommends reviewing the splunk.log, there's no relevant messages in the splunk.log at all.
So, i'm stuck. Any tips / ideas on how to get signed data with 4.2, or at least entries in the logs so I can troubleshoot whatever issue might be going on?
Thanks,
Looks like broken block signing is now a known issue with 4.2 GA:
BlockSignature content validation does not work with distributed search. BlockSignature content validation does not work in 4.2 (GA), even without distributed search, and will falsely claim the data has been tampered with. (SPL-38082)
http://www.splunk.com/base/Documentation/4.2/ReleaseNotes/KnownIssues (under unsorted)
A quick update, the two systems I updated to 4.2 are no longer reporting their signed data is OK. Reinstalled Splunk on two systems, configured them for block signing and neither are working correctly.
Assuming that block signing is having a problem in 4.2.