Wondering if anyone else has seen issues where you modify the changes in the GUI and the applicable .conf files are not updated or modified incorrectly? This is Splunk 7 Enterprise running on Windows server 2016.
First example, spent far too much time trying to get LDAP authentication to work and gave up because we don't have a CA and Splunk didn't like the DC self-signed certs we are using, despite us importing them as trusted to the Windows Server and Splunk Trusted Root stores. Decided to use SAML via Okta instead, but while trying to figure that out, we noticed these errors in the log:
11-22-2017 18:09:35.434 -0800 WARN SSLOptions - authentication.conf/[saml]/sslKeysfile: deprecated; use 'clientCert' instead
11-22-2017 18:09:35.434 -0800 WARN SSLOptions - authentication.conf/[saml]/sslKeysfilePassword: deprecated; use 'sslPassword' instead
We modified as instructed, but every time we had to make a change in the GUI, it changed the suggested parameters back to the depreciated ones. We finally got it working, but it was a major PITA.
More recently we are using a Universal Forwarder install on a dedicated Win2016 VM to ingest Windows Forwarded Events. GPO configures PCs to forward events to Win2016 VM running Universal Forwarder. The events are forwarded to Splunk but they always go to the "main" index. We've tried everything to get them to go to a dedicated index like our other numerous SYSLOG sources. It is very frustrating and I suspect this might be a related issue where despite us seeing the Win2016 host as a new data source, selecting Forwarded Events, and choosing a new index, those settings don't get updated in the proper conf file (we aren't sure where that is for the UF inputs). This is despite the GUI showing all indications that is how it is configured.
We have twice removed UF and all configs on Splunk and the source server and tried to recreate to no avail. Splunk GUI shows that data source is associated with index "wef" but searching index=wef shows nothing. Searching index=main shows the events.
As a last result we tried to manually update the inputs.conf file but that didn't work after a Splunkd restart.
We are opening a ticket, but super frustrating.
... View more