uberAgent - unable to upload data to Splunk in environment with restricted internet access

uberAgent - unable to upload data to Splunk in environment with restricted internet access

book

Article ID: CTX693192

calendar_today

Updated On:

Description

uberAgent data is not available on the Splunk dashboard.

Agents are reporting correctly when Admins allow full internet access on the firewall.

uberAgent log file located in C:\Windows\Temp (default location) shows the issue with CurlSend attempt, example:

2025-05-02 10:31:10.439 +0000,ERROR,DOMAIN,MACHINE_NAME$,2320,CurlSend,Sending to host https://http-inputs.myorgexample.splunkcloud.com:443 failed with: schannel: next InitializeSecurityContext failed: CRYPT_E_REVOCATION_OFFLINE (0x80092013) - The revocation function was unable to check revocation because the revocation server was offline.. 

Resolution

The traffic to the external CRL servers and OCSP traffic should be allowed on the firewall. You can check with the certificate provider what are the required URLs.

You should also import the root certificate into the Windows certificate store (Trusted Root Certification Authorities).

Workaround:

We have a few settings (Config Flags) which can help in scenarios like this. Examples:

  • TLSRevocationChecksDisabled: disable certificate revocation checks, e.g. during testing with self-signed certificates on the backend (Windows only).
  • TLSRevocationChecksBestEffort: ignore certificate revocation checks in case of missing or offline distribution points (Windows only). If both revocation check options are configured, the option above takes precedence. For more details on these two options see https://curl.se/libcurl/c/CURLOPT_SSL_OPTIONS.html

You can update the configuration file (uberAgent.conf) located in C:\Programdata\vast limits\uberAgent\Configuration on the affected machine.

An example configuration stanza looks like this:

[Miscellaneous]
DebugMode = true
ConfigFlags = TLSRevocationChecksBestEffort

 


Problem Cause

Firewall was blocking CRL/OCSP traffic required for certificate validation.

Certificate chain was not trusted.

Additional Information

https://docs.citrix.com/en-us/uberagent/7-3-1/kb/installation-upgrade/using-uberagent-with-self-signed-certificates