topic Re: Problem with Sending logs from DomainController to Splunk Intermediate forwarder. in Splunk Enterprise

Problem with Sending logs from DomainController to Splunk Intermediate forwarder.

d4wc3k — Mon, 22 Jun 2020 16:59:30 GMT

Hello Everyone on Splunk Forum

I have problem with sending DC to Splunk Setup.
This DC machine first should send logs to IFs tier and after this place events in indexer.

I have checked internal logs for this particular machine with "ERROR" log_level.
Interesting thing which has found by me is problem with 'TcpOutputFd'
There are folling messages

Connection to host=10.200.80.11:9997 failed. sock_error = 10054. SSL Error = No error
Connection to host=10.200.80.12:9997 failed. sock_error = 10054. SSL Error = No error
Connection to host=10.200.80.13:9997 failed
I am not very familiar with managing distributed Splunk setup - I am still learning new things.

Could you please tell me how i can resolve this problem.

Thanks

BR
Dawid

Re: Problem with Sending logs from DomainController to Splunk Intermediate forwarder.

anilchaithu — Mon, 22 Jun 2020 18:21:59 GMT

@d4wc3k

you need to check couple of things

1) Is there any firewall between DC & intermediate forwarder?

you can check this from DC doing telnet forwarderip:9997

2) IS ssl enabled for this transfer? If so certs should match

you can check this in "inputs.conf" on intermediate forwarder

Re: Problem with Sending logs from DomainController to Splunk Intermediate forwarder.

d4wc3k — Tue, 23 Jun 2020 10:18:34 GMT

1) DC don't have any problems with cionnections to IFs on 9997 dest port.
2) What should be checked ?
Do I need compare ssl cert on IF with cert in splunk agent on DC machine ?
If yes I am not sure what is location of cert on DC machine

On IF side I can see that it's in /opt/splunkforwarder/etc/apps/name_of_app/auth/cacert.pem