I have a indexer, that crashed and I restored.
I can start splunkd and splunkweb services, but cannot use the CLI, or connect with the search-head, and splunkweb login fails (the version displayed is UNKNOWN)
But splunkd is indexing, and my firewalls are open.
I saw some errors in splunkd.log after a restart.
08-07-2012 12:19:02.807 -0700 ERROR SSLCommon - Can't read key file D:\Program Files\Splunk\etc\auth\server.pem errno=151429224 error:0906A068:PEM routines:PEM_do_header:bad password read.
08-07-2012 12:19:02.807 -0700 ERROR ServerConfig - Couldn't initialize SSL Context for HTTPClient in ServerConfig
Did you restored the configuration from another server ?
The error means that the ssl certificated used for splunkd (port 8089) is not working.
check in $SPLUNK_HOME/etc/system/local/server.conf and web.conf
[sslConfig] sslKeysfilePassword = passwordand restart to apply if you are using the default ssl, shipped with splunk, simply comment the password line and restart it will encrypt the one from the default settings.
How about ...are the rights on the directories as expected after the restore? I had similar messages after installing the first heavy forwarder. I needed to replace several ACLs on the windows server to get it working.
Did you restored the configuration from another server ?
The error means that the ssl certificated used for splunkd (port 8089) is not working.
check in $SPLUNK_HOME/etc/system/local/server.conf and web.conf
[sslConfig] sslKeysfilePassword = passwordand restart to apply if you are using the default ssl, shipped with splunk, simply comment the password line and restart it will encrypt the one from the default settings.