Solved: Splunk web is not accessible after installing ES 4...

saurabh_tek11 · ‎04-18-2018

i have installed ES 4.7 and it took long time to get installed (left it running last evening and this morning ES was up and running). pending restart. i restarted splunk but after that splunk web is not accessible.

same was happening when i tried installing ES 5(known issue) yesterday but then i removed that and fell back on more stable (IMO) ES4.7 version. Now my splunk web is not accessing on https any idea how to fix this

$INSTALL/var/log/splunk/splunkd.log says -

04-19-2018 10:08:03.390 +0400 WARN  HttpListener - Socket error from 10.1.23.202 while idling: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number

There are rw permissions to splunk (user) on /opt/splunk/etc/myinstall/splunkd.xml .

saurabh_tek11 · ‎04-19-2018

The intermediate WAF was the culprit.

View solution in original post

saurabh_tek11 · ‎04-19-2018

The intermediate WAF was the culprit.

burakcinar · ‎04-18-2018

what's your splunk version ?
it seems there are some known issues for SSL .

http://docs.splunk.com/Documentation/Splunk/latest/ReleaseNotes/Knownissues

server.conf
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Serverconf?

sample server.conf

 [sslConfig]
 sslVersions = *,-ssl2
 sslVersionsForClient = *,-ssl2
 cipherSuite = TLSv1+HIGH:TLSv1.2+HIGH:@STRENGTH

saurabh_tek11 · ‎04-19-2018

@burakcinar, The splunk version is splunk Enterprise 7.0.2 and ES version is 4.7
I have added your shared configs in my /system/local/server.conf and restarted splunk but that didnt bring the web accessible. Could you suggest something else.

Splunk web is not accessible after installing ES 4.7, Socket error from x.x.x.x while idling: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms