I see this on all hosts everywhere when using Splunk, not just on indexers.

Per my comment with mmodestino above, I'm focusin on a simple heavy forwarder that really isn't doing anything right now except forwarding its own internal events to some clustered indexers.

Referencing Splunk network ports

8000 - shows our certificate
8088 - shows Splunk's certificate (index replication port, but not using it on this server)
8089 - shows Splunk's certificate (as I suspected)
9997 - not listening

As it turns out, I did use Duane's doc to make a final pass at the setup (I'd already figured out and setup most of it, but used it to fill in some cracks). After doing a quick re-read, I can see there's some stuff in there that I did not do as I didn't think they were applicable in our network. I see a references to securing the REST interface and indexer replication port. However, unlike the other port types, I don't quite see that mechanism spelled out. I'm guessing that's slide 26?

It looks like I need to do some experimentation...

Thanks

You said on all your Splunk instances. Surely some of them listen on different ports according to their roles. The message you are seeing will happen if you use the Splunk cert on any of those ports (to my knowledge).

While I'd secured the data port and splunkweb with SSL, I had done nothing to change the default not-so-secure key used for the management port and anywhere else it was used (replication, kvstore, etc). Somehow I missed that part of it. We have a rather extensive environment and I'll need to move carefully to fix this everywhere. Would have been much easier had I spotted it earlier :-.

Have the issues Duane references in his PDF presentation regarding using SSL for clustered indexer replication gone away now? I see the doc is several years old now.

We currently do not use SSL with the deployment server. I've gone back and forth as to why this is even necessary as compared to the other ports. I suppose if I'm passing an unencrypted password within a deployment that could represent an issue. This will mean I have to pass a certificate to each initial install of a UF, I guess. It's possible that this is difficult enough to do that "that ship has sailed", but I'll investigate further.

Anyway, I've now got a server that has an encrypted private key and the "missing" ports are now using it without issue. (It still really sucks that you can't use the same password-protected private key that you use in other configuration with Splunkweb so you have to generate a password-less version of it just for splunkweb).

Thanks very much, jkat54 and mmodestino!

OK, so let's take a heavy forwarder with no event activity passing through it, that I was playing with yesterday. That is, no other host has this server in its outputs.conf anywhere. It does have the best-practices outputs.conf mechanism in place to forward its own logs to an indexer, but that would be the only event traffic involving this server.

This server does have its own internal-CA-generated certificate as is common here.

Note that in the output below, names and encrypted passwords have been changed to protect the innocent. "hostA" refers to the local server's physical hostname, however we use CNAMEs for our servers and in this case, this server is "fwd01" below. Our certificates have SANs that allow both names plus the IP of the server as valid names. Hence, physical hostname, alias or IP would all work fine through Splunkweb.

inputs.conf

[default]
host = hostA

[SSL]
sslPassword = zzz
requireClientCert = false
serverCert = $SPLUNK_HOME/etc/auth/mycerts/fwd01.pem

outputs.conf (the local event forwarding is in another file...)

[tcpout]
clientCert = $SPLUNK_HOME/etc/auth/mycerts/fwd01.pem
defaultGroup = prod_default
sslRootCAPath = $SPLUNK_HOME/etc/auth/mycerts/cacerts.pem
sslVerifyServerCert = true
useClientSSLCompression = true

server.conf

[general]
serverName = fwd01
pass4SymmKey = xxx

[sslConfig]
sslPassword = yyy
sslRootCAPath = $SPLUNK_HOME/etc/auth/mycerts/cacerts.pem

web.conf

[settings]
enableSplunkWebSSL = true
privKeyPath = $SPLUNK_HOME/etc/auth/mycerts/fwd01.privatekey.pem
serverCert = $SPLUNK_HOME/etc/auth/mycerts/fwd01.pem

lsof -p -P | grep IPv4

reports the following

splunkd 23350 splunk    5u  IPv4          481132186      0t0       TCP *:8089 (LISTEN)
splunkd 23350 splunk   31u  IPv4          481135551      0t0       TCP *:8088 (LISTEN)
splunkd 23350 splunk   79u  IPv4          481159127      0t0       TCP hostA:35646->idx2:9997 (ESTABLISHED)
splunkd 23350 splunk   84u  IPv4          481133325      0t0       TCP *:8000 (LISTEN)
splunkd 23350 splunk   87u  IPv4          481159129      0t0       TCP hostA:57190->idx1:9997 (ESTABLISHED)
splunkd 23350 splunk   93u  IPv4          481133327      0t0       TCP localhost:32931->localhost:8191 (ESTABLISHED)
splunkd 23350 splunk   94u  IPv4          481134009      0t0       TCP localhost:32932->localhost:8191 (ESTABLISHED)
splunkd 23350 splunk   95u  IPv4          481135617      0t0       TCP localhost:32933->localhost:8191 (ESTABLISHED)
splunkd 23350 splunk   96u  IPv4          481134011      0t0       TCP localhost:32934->localhost:8191 (ESTABLISHED)

Just to see, I removed the deploymentclient.conf entry here so this heavy forwarder doesn't have a deployment server to talk to -- all local config -- and restarted. The X509 warning doesn't go away, so I doubt it's the deployment client/server.

I assumed everyone got this warning in their logs... I can say for instance, that if I spin up a "virgin" Splunk Enterprise with no configuration at all, this warning shows up in the logs as well. If it's worth of displaying a warning but it isn't a problem, I'm not sure why it would show up in the logs? It's like saying there's an "OK error".

Thanks!