I'm trying to enable https to Splunk Web. It appears easy and OK to have it enabled but once it is done, splunkd.log generates this error every 5 seconds. Why am I getting this?
01-31-2017 08:48:30.127 +1100 WARN HttpListener - Socket error from 127.0.0.1 while idling: error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request
As this message happens when it gets http requtest rather than https, unlike the splunkweb is expecting.
i) I've checked whether there's any external application/script health monitors the splunk but nothing's set up for that.
ii) I've checked and looked into the tcpdump it was like below - not coming from 3rd party machine;
*# tcpdump -nn -i lo tcp port 8000
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 96 bytes
09:16:51.195412 IP 127.0.0.1.43463 > 127.0.0.1.8000: S 2424811887:2424811887(0) win 32792
09:16:51.195545 IP 127.0.0.1.8000 > 127.0.0.1.43463: S 4234531534:4234531534(0) ack 2424811888 win 32768
09:16:51.195571 IP 127.0.0.1.43463 > 127.0.0.1.8000: . ack 1 win 257 *
Finally found the below putting its logs every 5secs - worked around by changing http to https;
./Splunk_TA_stream/local/inputs.conf:[streamfwd://streamfwd]
./Splunk_TA_stream/local/inputs.conf:splunk_stream_app_location = http://localhost:8000/en-us/custom/splunk_app_stream/
As this message happens when it gets http requtest rather than https, unlike the splunkweb is expecting.
i) I've checked whether there's any external application/script health monitors the splunk but nothing's set up for that.
ii) I've checked and looked into the tcpdump it was like below - not coming from 3rd party machine;
*# tcpdump -nn -i lo tcp port 8000
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 96 bytes
09:16:51.195412 IP 127.0.0.1.43463 > 127.0.0.1.8000: S 2424811887:2424811887(0) win 32792
09:16:51.195545 IP 127.0.0.1.8000 > 127.0.0.1.43463: S 4234531534:4234531534(0) ack 2424811888 win 32768
09:16:51.195571 IP 127.0.0.1.43463 > 127.0.0.1.8000: . ack 1 win 257 *
Finally found the below putting its logs every 5secs - worked around by changing http to https;
./Splunk_TA_stream/local/inputs.conf:[streamfwd://streamfwd]
./Splunk_TA_stream/local/inputs.conf:splunk_stream_app_location = http://localhost:8000/en-us/custom/splunk_app_stream/