When you try to start the ICDx Splunk forwarder, the forwarder does not start and errors are found in the forwarder logs.

The following error is listed in the forwarder logs:

2020-09-17 01:07:11,746 [main] ERROR lifecycle - Failed to load the service's modules: com.symantec.splunk.SplunkHttpWriterModule: Unable to load configuration: Splunk
com.symantec.lib.app.ModuleLoaderError: com.symantec.splunk.SplunkHttpWriterModule: Unable to load configuration: Splunk
...

Caused by: java.lang.reflect.InvocationTargetException: null
...

Caused by: java.lang.reflect.InvocationTargetException: null
...

Caused by: com.symantec.http.support.CreateExecutorException: Problem loading certificate file: /path/to/splunk_cert.pem
...

Caused by: java.io.FileNotFoundException: /path/to/splunk_cert.pem (No such file or directory)
...

The error has been edited for brevity. The "/path/to/splunk_cert.pem" is the value in the "SSL Certificate Path" configuration.

Release : 1.4.1

Component : Splunk Forwarder

The issue occurrs when the ICDx forwarder is configured to use and verify SSL(TLS) but the ICDx software is not able to read the Splunk certificate that has been stored in the local filesystem.

To resolve this issue, verify that the certificate path and filename are correct, and that the permissions and ownership for the full path and file allow the ICDx user account (icdx by default) to read the file.