The universal forwarder was used well, but one day it suddenly stopped and no longer runs. Why is this happening?
The execution environment is as follows:
Windows7 32bit
Hi @hhhwang,
which is the Splunk UF version?
Probably it's an old version and the certificate is expired.
For more infos see at https://docs.splunk.com/Documentation/Splunk/9.0.0/Security/ConfigureandinstallcertificatesforLogObs...
In few words:
In Windows run :
C:\Program Files\splunk\bin> openssl x509 -enddate -noout -in "C:\Program Files\splunk\etc\auth\server.pem
In Linux run:
openssl x509 -enddate -noout -in /opt/splunk/etc/auth/server.pem
If it has been expired then rename /opt/splunk/etc/auth/server.pem to server.pem.back and restart splunkd.
./splunk restart
This will regenerate the server.pem file and renew the certificate.
Ciao.
Giuseppe
Thanks, gcusello.
Splunk UF version is 6.4.10.
I'll try to solve it in the way you told me.
But it's been about a month since I installed it, so can I know why the certificate has expired?
Latest Splunk Universal Forward agent is 9.0 at the time of writing.
Do an upgrade and see if you still have problem.
Hi @hhhwang,
I see that it's a very old version of Splunk UF, but probably you're using it on a very old Windows version, is this the latest certified version of UF for that Windows?
In addition, I'm not sure that UF 6.4.10 is compatible with the latest Splunk versions.
I hint to open a case to Splunk Support to identify the correct UF version to use.
Ciao.
Giuseppe