<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Why do I get missing forwarders? in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Why-do-I-get-missing-forwarders/m-p/53883#M10396</link>
    <description>&lt;P&gt;okay, good to know you solved your problem by setting the attribute connection_host = none&lt;/P&gt;</description>
    <pubDate>Fri, 14 Sep 2012 08:35:18 GMT</pubDate>
    <dc:creator>MuS</dc:creator>
    <dc:date>2012-09-14T08:35:18Z</dc:date>
    <item>
      <title>Why do I get missing forwarders?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Why-do-I-get-missing-forwarders/m-p/53878#M10391</link>
      <description>&lt;P&gt;I have configured the Universal forwarder to monitor a folder, but when I look at the Splunkd.log on the forwarder I see the following:&lt;BR /&gt;
09-07-2012 09:47:57.809 +0200 WARN  TcpOutputProc - Cooked connection to ip=99.999.9.999:9997 timed out&lt;BR /&gt;
09-07-2012 09:48:08.822 +0200 WARN  TcpOutputFd - Connect to 99.999.9.999:9997 failed. No connection could be made because the target machine actively refused it.&lt;BR /&gt;
09-07-2012 09:48:08.822 +0200 ERROR TcpOutputFd - Connection to host=99.999.9.999:9997 failed&lt;BR /&gt;
09-07-2012 09:48:08.822 +0200 WARN  TcpOutputProc - Applying quarantine to idx=99.999.9.999:9997 numberOfFailures=2&lt;/P&gt;

&lt;P&gt;There are no log entries in the Splunkd.log on the indexer.&lt;BR /&gt;
The universal forwarder is listed as missing in the Deployment App&lt;/P&gt;

&lt;P&gt;The indexer is configured to listen for all servers on 9997, and I have seen data received on this port at an earlier time.&lt;/P&gt;

&lt;P&gt;There are about 450 universel forwarders configured.&lt;/P&gt;

&lt;P&gt;Kind regards.&lt;/P&gt;</description>
      <pubDate>Fri, 07 Sep 2012 08:18:07 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Why-do-I-get-missing-forwarders/m-p/53878#M10391</guid>
      <dc:creator>las</dc:creator>
      <dc:date>2012-09-07T08:18:07Z</dc:date>
    </item>
    <item>
      <title>Re: Why do I get missing forwarders?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Why-do-I-get-missing-forwarders/m-p/53879#M10392</link>
      <description>&lt;P&gt;Hi las&lt;/P&gt;

&lt;P&gt;my first guess was: 'about 450 universal forwarders configured'&lt;/P&gt;

&lt;P&gt;... imagine they connect all at the same time to the indexer, your indexer could see this as a DoS attack. &lt;/P&gt;

&lt;P&gt;Check your indexer and Server OS if there is some DoS detection happening. &lt;/P&gt;

&lt;P&gt;/update:&lt;/P&gt;

&lt;P&gt;I'm by far no TCP expert, but when you get 'a lot' of &lt;CODE&gt;CLOSE_WAIT &amp;amp; FIN_WAIT_2&lt;/CODE&gt; there is something not as it should. short example:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;.1 The client sends a SYN to the server.
.2 The server responds with a SYN and ACK to the client.
.3 The client responds with an ACK to the server.

Connection is established and data is transfered (the steps are known as a 3 way handshake).
When the server is closing the connection, the following sequence takes place:

.4 The server sends a FIN and an ACK to the client.
.5 The client sends an ACK to the server.
.6 The client sends its own FIN and ACK to the server
.7 The server sends and ACK to the client.
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;The short version is that this state exists when the first &lt;CODE&gt;FIN_ACK&lt;/CODE&gt; and ACK have been sent (steps 4 &amp;amp; 5) but the second &lt;CODE&gt;FIN_ACK&lt;/CODE&gt; and ACK (steps 6 &amp;amp; 7) has not.&lt;BR /&gt;
On the side that closed the connection you will have &lt;CODE&gt;FIN_WAIT_2&lt;/CODE&gt;, on the side that is to send the final &lt;CODE&gt;FIN_ACK&lt;/CODE&gt; and ACK you will have &lt;CODE&gt;CLOSE_WAIT&lt;/CODE&gt;.&lt;/P&gt;

&lt;P&gt;this could also be caused by a firewall somewhere in the network. &lt;BR /&gt;
cheers,&lt;/P&gt;

&lt;P&gt;MuS&lt;/P&gt;</description>
      <pubDate>Fri, 07 Sep 2012 08:25:34 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Why-do-I-get-missing-forwarders/m-p/53879#M10392</guid>
      <dc:creator>MuS</dc:creator>
      <dc:date>2012-09-07T08:25:34Z</dc:date>
    </item>
    <item>
      <title>Re: Why do I get missing forwarders?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Why-do-I-get-missing-forwarders/m-p/53880#M10393</link>
      <description>&lt;P&gt;I do have a lot of CLOSE_WAIT on the indexer, when I do a netstat, I have have seen FIN_WAIT_2 on the universal forwarder.&lt;BR /&gt;
Does that support your theory?&lt;/P&gt;</description>
      <pubDate>Mon, 28 Sep 2020 12:23:52 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Why-do-I-get-missing-forwarders/m-p/53880#M10393</guid>
      <dc:creator>las</dc:creator>
      <dc:date>2020-09-28T12:23:52Z</dc:date>
    </item>
    <item>
      <title>Re: Why do I get missing forwarders?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Why-do-I-get-missing-forwarders/m-p/53881#M10394</link>
      <description>&lt;P&gt;see update....&lt;/P&gt;</description>
      <pubDate>Fri, 07 Sep 2012 09:00:47 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Why-do-I-get-missing-forwarders/m-p/53881#M10394</guid>
      <dc:creator>MuS</dc:creator>
      <dc:date>2012-09-07T09:00:47Z</dc:date>
    </item>
    <item>
      <title>Re: Why do I get missing forwarders?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Why-do-I-get-missing-forwarders/m-p/53882#M10395</link>
      <description>&lt;P&gt;It wasn't a DoS attack, and windows didn't tag it that way.&lt;BR /&gt;
There is a stanza connection_host = none in inputs.conf that solved the problem.&lt;/P&gt;</description>
      <pubDate>Fri, 14 Sep 2012 08:20:39 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Why-do-I-get-missing-forwarders/m-p/53882#M10395</guid>
      <dc:creator>las</dc:creator>
      <dc:date>2012-09-14T08:20:39Z</dc:date>
    </item>
    <item>
      <title>Re: Why do I get missing forwarders?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Why-do-I-get-missing-forwarders/m-p/53883#M10396</link>
      <description>&lt;P&gt;okay, good to know you solved your problem by setting the attribute connection_host = none&lt;/P&gt;</description>
      <pubDate>Fri, 14 Sep 2012 08:35:18 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Why-do-I-get-missing-forwarders/m-p/53883#M10396</guid>
      <dc:creator>MuS</dc:creator>
      <dc:date>2012-09-14T08:35:18Z</dc:date>
    </item>
  </channel>
</rss>

