https://community.splunk.com/t5/Splunk-Enterprise/Why-can-we-not-establish-connection-with-HTTP-event-collector/m-p/599192#M12664 <P>I'm trying to forward events to a Splunk instance using the HTTP event collector (<A target="_blank" rel="noopener">http://&lt;splunk_instance&gt;:8088/services/collector/event</A>)&nbsp;but it seems that the connection is being rejected by Splunk. The error I'm getting is: "<STRONG>read tcp 127.0.0.1:46660-&gt;127.0.1.1:8088: read: connection reset by peer</STRONG>"</P> <P>The HTTP event collector is configured as:</P> <P>Enable SSL: true</P> <P>HTTP Port number: 8088</P> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 25 May 2022 15:19:38 GMT domaquino 2022-05-25T15:19:38Z https://community.splunk.com/t5/Splunk-Enterprise/Why-can-we-not-establish-connection-with-HTTP-event-collector/m-p/599192#M12664 <P>I'm trying to forward events to a Splunk instance using the HTTP event collector (<A target="_blank" rel="noopener">http://&lt;splunk_instance&gt;:8088/services/collector/event</A>)&nbsp;but it seems that the connection is being rejected by Splunk. The error I'm getting is: "<STRONG>read tcp 127.0.0.1:46660-&gt;127.0.1.1:8088: read: connection reset by peer</STRONG>"</P> <P>The HTTP event collector is configured as:</P> <P>Enable SSL: true</P> <P>HTTP Port number: 8088</P> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 25 May 2022 15:19:38 GMT https://community.splunk.com/t5/Splunk-Enterprise/Why-can-we-not-establish-connection-with-HTTP-event-collector/m-p/599192#M12664 domaquino 2022-05-25T15:19:38Z https://community.splunk.com/t5/Splunk-Enterprise/Why-can-we-not-establish-connection-with-HTTP-event-collector/m-p/599199#M12666 <P>"Connection reset by peer" means that the other side actively closed the connection after initially accepting it. Which usually means - in this case - that the server is listening on the port anf the traffic isn't firewalled (otherwise you'd get connectiin timeout or connection refused) but your client isn't allowed by the configuration.</P><P>One interesting thing though is that you're saying you're connecting to an external instance but the error refers to localhost connection, has a strange form of localhost address (127.0.1.1) and seems to be from the server's side saying that client closed the connection.</P> Wed, 25 May 2022 04:42:05 GMT https://community.splunk.com/t5/Splunk-Enterprise/Why-can-we-not-establish-connection-with-HTTP-event-collector/m-p/599199#M12666 PickleRick 2022-05-25T04:42:05Z https://community.splunk.com/t5/Splunk-Enterprise/Why-can-we-not-establish-connection-with-HTTP-event-collector/m-p/599202#M12668 <P>Where do we set the allowed clients configuration here in Splunk? What I only did was to get the token of the Splunk instance and put it the configuration file of the client.</P><P>Also, the client (where the alert events will be coming from) and the server (Splunk) is on the same linux virtual machine.</P> Wed, 25 May 2022 05:29:13 GMT https://community.splunk.com/t5/Splunk-Enterprise/Why-can-we-not-establish-connection-with-HTTP-event-collector/m-p/599202#M12668 domaquino 2022-05-25T05:29:13Z https://community.splunk.com/t5/Splunk-Enterprise/Why-can-we-not-establish-connection-with-HTTP-event-collector/m-p/599213#M12671 <P>Check for errors on both sides of the connection. If this was indeed a message from the server, which would mean that the client interrupted the connection, it would typically mean SSL misconfiguration.</P><P>In such a case the client would attempt to connect to the server, the server would accept the TCP connection, at least one party would start the TLS handshake but - especially if the TLS was enabled on the client and disabled on the server - if the client couldn't agree with the server on TLS parameters, it would drop the connection.</P><P>So make sure that TLS parameters are the same on both sides.</P> Wed, 25 May 2022 06:24:06 GMT https://community.splunk.com/t5/Splunk-Enterprise/Why-can-we-not-establish-connection-with-HTTP-event-collector/m-p/599213#M12671 PickleRick 2022-05-25T06:24:06Z