<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic TcpOutputProc Connection to ...... closed. Connection closed by server in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/TcpOutputProc-Connection-to-closed-Connection-closed-by-server/m-p/83483#M17353</link>
    <description>&lt;PRE&gt;&lt;CODE&gt;Windows The Log

07-03-2013 17:03:44.654 +0530 WARN  TcpOutputProc - Applying quarantine to ip=107.20.29.58 port=9997 _numberOfFailures=7
07-03-2013 17:03:46.107 +0530 INFO  TcpOutputProc - Connected to idx=50.17.56.245:9997 using ACK.
07-03-2013 17:04:16.112 +0530 INFO  TcpOutputProc - Connected to idx=54.243.3.115:9997 using ACK.
07-03-2013 17:04:46.113 +0530 INFO  TcpOutputProc - Connected to idx=23.22.132.83:9997 using ACK.
07-03-2013 17:05:14.114 +0530 INFO  TcpOutputProc - Removing quarantine from idx=23.20.94.208:9997
07-03-2013 17:05:14.801 +0530 INFO  TcpOutputProc - Connected to idx=23.20.94.208:9997
07-03-2013 17:05:14.847 +0530 INFO  TcpOutputProc - Connected to idx=23.20.94.208:9997
07-03-2013 17:05:14.861 +0530 INFO  TcpOutputProc - Connected to idx=23.20.94.208:9997
07-03-2013 17:05:15.071 +0530 INFO  TcpOutputProc - Connection to 23.20.94.208:9997 closed. Connection closed by server.
07-03-2013 17:05:15.071 +0530 WARN  TcpOutputProc - Applying quarantine to ip=23.20.94.208 port=9997 _numberOfFailures=18
07-03-2013 17:05:15.109 +0530 INFO  TcpOutputProc - Connection to 23.20.94.208:9997 closed. Connection closed by server.
07-03-2013 17:05:15.111 +0530 INFO  TcpOutputProc - Connection to 23.20.94.208:9997 closed. Connection closed by server.
07-03-2013 17:05:16.072 +0530 INFO  TcpOutputProc - Connected to idx=50.17.56.245:9997 using ACK.
07-03-2013 17:05:44.082 +0530 INFO  TcpOutputProc - Removing quarantine from idx=107.20.29.58:9997
07-03-2013 17:05:47.082 +0530 INFO  TcpOutputProc - Connected to idx=107.22.10.147:9997 using ACK.
07-03-2013 17:06:16.083 +0530 INFO  TcpOutputProc - Connected to idx=23.22.132.83:9997 using ACK.
07-03-2013 17:06:45.957 +0530 INFO  TcpOutputProc - Connected to idx=107.22.10.147:9997 using ACK.
07-03-2013 17:07:15.962 +0530 INFO  TcpOutputProc - Connected to idx=54.243.3.115:9997 using ACK.
07-03-2013 17:07:45.963 +0530 INFO  TcpOutputProc - Connected to idx=23.22.208.232:9997 using ACK.
07-03-2013 17:08:16.059 +0530 INFO  TcpOutputProc - Connected to idx=23.22.132.83:9997 using ACK.

Not sure what is causing this ..

/opt/splunkforwarder/etc/system/default/outputs.conf

#   Version 5.0.3

[tcpout]
maxQueueSize = 500KB
forwardedindex.0.whitelist = .*
forwardedindex.1.blacklist = _.*
forwardedindex.2.whitelist = (_audit|_internal)
forwardedindex.filter.disable = false
indexAndForward = false
autoLBFrequency = 30
blockOnCloning = true
compressed = false
disabled = false
dropClonedEventsOnQueueFull = 5
dropEventsOnQueueFull = -1
heartbeatFrequency = 30
maxFailuresPerInterval = 2
secsInFailureInterval = 1
maxConnectionsPerIndexer = 2
forceTimebasedAutoLB = false
sendCookedData = true
connectionTimeout = 20 
readTimeout = 300
writeTimeout = 300 
useACK = false

 /opt/splunkforwarder/etc/system/default/inputs.conf

#   Version 5.0.3
# DO NOT EDIT THIS FILE!
# Please make all changes to files in $SPLUNK_HOME/etc/system/local.
# To make changes, copy the section/stanza you want to change from $SPLUNK_HOME/etc/system/default
# into ../local and edit there.
#
# This file contains possible attributes and values you can use to
# configure inputs, distributed inputs and file system monitoring.


[default]
index         = default
_rcvbuf        = 1572864
host = $decideOnStartup
evt_resolve_ad_obj = 0
evt_dc_name=
evt_dns_name=



[monitor://$SPLUNK_HOME\var\log\splunk]
index = _internal

[monitor://$SPLUNK_HOME\etc\splunk.version]
_TCP_ROUTING = *
index = _internal
sourcetype=splunk_version

[batch://$SPLUNK_HOME\var\spool\splunk]
move_policy = sinkhole
crcSalt = &amp;lt;SOURCE&amp;gt;

[batch://$SPLUNK_HOME\var\spool\splunk\...stash_new]
queue       = stashparsing
sourcetype  = stash_new
move_policy = sinkhole
crcSalt     = &amp;lt;SOURCE&amp;gt;


[fschange:$SPLUNK_HOME\etc]
#poll every 10 minutes
pollPeriod = 600
#generate audit events into the audit index, instead of fschange events
signedaudit=true
recurse=true
followLinks=false
hashMaxSize=-1
fullEvent=false
sendEventMaxSize=-1
filesPerDelay = 10
delayInMills = 100

[udp]
connection_host=ip

[tcp]
acceptFrom=*
connection_host=dns

[splunktcp]
route=has_key:_replicationBucketUUID:replicationQueue;has_key:_dstrx:typingQueue;has_key:_linebreaker:indexQueue;absent_key:_linebreaker:parsingQueue
acceptFrom=*
connection_host=ip

[script]
interval = 60.0

[SSL]
# default cipher suites that splunk allows. Change this if you wish to increase the security 
# of SSL connections, or to lower it if you having trouble connecting to splunk.
cipherSuite = ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM


[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled = 0
interval = 10000000
source = wmi
sourcetype = wmi
queue = winparsing
persistentQueueSize=200MB

[script://$SPLUNK_HOME\bin\scripts\splunk-regmon.path]
disabled = 0
interval = 10000000
source = WinRegistry 
sourcetype=WinRegistry
queue = winparsing
persistentQueueSize=50MB

[script://$SPLUNK_HOME\bin\scripts\splunk-admon.path]
interval = 10000000
source = ActiveDirectory
sourcetype = ActiveDirectory
disabled = 0
queue = winparsing
persistentQueueSize=50MB

[WinEventLog:Application]
disabled = 1
start_from = oldest
current_only = 0
checkpointInterval = 5

[WinEventLog:Security]
disabled = 1
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5

[WinEventLog:Setup]
disabled = 1
start_from = oldest
current_only = 0
checkpointInterval = 5

[WinEventLog:System]
disabled = 1
start_from = oldest
current_only = 0
checkpointInterval = 5

[WinEventLog:ForwardedEvents]
disabled = 1
start_from = oldest
current_only = 0
checkpointInterval = 5

[WinEventLog:HardwareEvents]
disabled = 1
start_from = oldest
current_only = 0
checkpointInterval = 5

[WinEventLog:Internet Explorer]
disabled = 1
start_from = oldest
current_only = 0
checkpointInterval = 5


Any help would be appreciated 
&lt;/CODE&gt;&lt;/PRE&gt;</description>
    <pubDate>Wed, 03 Jul 2013 11:52:41 GMT</pubDate>
    <dc:creator>foewar</dc:creator>
    <dc:date>2013-07-03T11:52:41Z</dc:date>
    <item>
      <title>TcpOutputProc Connection to ...... closed. Connection closed by server</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/TcpOutputProc-Connection-to-closed-Connection-closed-by-server/m-p/83483#M17353</link>
      <description>&lt;PRE&gt;&lt;CODE&gt;Windows The Log

07-03-2013 17:03:44.654 +0530 WARN  TcpOutputProc - Applying quarantine to ip=107.20.29.58 port=9997 _numberOfFailures=7
07-03-2013 17:03:46.107 +0530 INFO  TcpOutputProc - Connected to idx=50.17.56.245:9997 using ACK.
07-03-2013 17:04:16.112 +0530 INFO  TcpOutputProc - Connected to idx=54.243.3.115:9997 using ACK.
07-03-2013 17:04:46.113 +0530 INFO  TcpOutputProc - Connected to idx=23.22.132.83:9997 using ACK.
07-03-2013 17:05:14.114 +0530 INFO  TcpOutputProc - Removing quarantine from idx=23.20.94.208:9997
07-03-2013 17:05:14.801 +0530 INFO  TcpOutputProc - Connected to idx=23.20.94.208:9997
07-03-2013 17:05:14.847 +0530 INFO  TcpOutputProc - Connected to idx=23.20.94.208:9997
07-03-2013 17:05:14.861 +0530 INFO  TcpOutputProc - Connected to idx=23.20.94.208:9997
07-03-2013 17:05:15.071 +0530 INFO  TcpOutputProc - Connection to 23.20.94.208:9997 closed. Connection closed by server.
07-03-2013 17:05:15.071 +0530 WARN  TcpOutputProc - Applying quarantine to ip=23.20.94.208 port=9997 _numberOfFailures=18
07-03-2013 17:05:15.109 +0530 INFO  TcpOutputProc - Connection to 23.20.94.208:9997 closed. Connection closed by server.
07-03-2013 17:05:15.111 +0530 INFO  TcpOutputProc - Connection to 23.20.94.208:9997 closed. Connection closed by server.
07-03-2013 17:05:16.072 +0530 INFO  TcpOutputProc - Connected to idx=50.17.56.245:9997 using ACK.
07-03-2013 17:05:44.082 +0530 INFO  TcpOutputProc - Removing quarantine from idx=107.20.29.58:9997
07-03-2013 17:05:47.082 +0530 INFO  TcpOutputProc - Connected to idx=107.22.10.147:9997 using ACK.
07-03-2013 17:06:16.083 +0530 INFO  TcpOutputProc - Connected to idx=23.22.132.83:9997 using ACK.
07-03-2013 17:06:45.957 +0530 INFO  TcpOutputProc - Connected to idx=107.22.10.147:9997 using ACK.
07-03-2013 17:07:15.962 +0530 INFO  TcpOutputProc - Connected to idx=54.243.3.115:9997 using ACK.
07-03-2013 17:07:45.963 +0530 INFO  TcpOutputProc - Connected to idx=23.22.208.232:9997 using ACK.
07-03-2013 17:08:16.059 +0530 INFO  TcpOutputProc - Connected to idx=23.22.132.83:9997 using ACK.

Not sure what is causing this ..

/opt/splunkforwarder/etc/system/default/outputs.conf

#   Version 5.0.3

[tcpout]
maxQueueSize = 500KB
forwardedindex.0.whitelist = .*
forwardedindex.1.blacklist = _.*
forwardedindex.2.whitelist = (_audit|_internal)
forwardedindex.filter.disable = false
indexAndForward = false
autoLBFrequency = 30
blockOnCloning = true
compressed = false
disabled = false
dropClonedEventsOnQueueFull = 5
dropEventsOnQueueFull = -1
heartbeatFrequency = 30
maxFailuresPerInterval = 2
secsInFailureInterval = 1
maxConnectionsPerIndexer = 2
forceTimebasedAutoLB = false
sendCookedData = true
connectionTimeout = 20 
readTimeout = 300
writeTimeout = 300 
useACK = false

 /opt/splunkforwarder/etc/system/default/inputs.conf

#   Version 5.0.3
# DO NOT EDIT THIS FILE!
# Please make all changes to files in $SPLUNK_HOME/etc/system/local.
# To make changes, copy the section/stanza you want to change from $SPLUNK_HOME/etc/system/default
# into ../local and edit there.
#
# This file contains possible attributes and values you can use to
# configure inputs, distributed inputs and file system monitoring.


[default]
index         = default
_rcvbuf        = 1572864
host = $decideOnStartup
evt_resolve_ad_obj = 0
evt_dc_name=
evt_dns_name=



[monitor://$SPLUNK_HOME\var\log\splunk]
index = _internal

[monitor://$SPLUNK_HOME\etc\splunk.version]
_TCP_ROUTING = *
index = _internal
sourcetype=splunk_version

[batch://$SPLUNK_HOME\var\spool\splunk]
move_policy = sinkhole
crcSalt = &amp;lt;SOURCE&amp;gt;

[batch://$SPLUNK_HOME\var\spool\splunk\...stash_new]
queue       = stashparsing
sourcetype  = stash_new
move_policy = sinkhole
crcSalt     = &amp;lt;SOURCE&amp;gt;


[fschange:$SPLUNK_HOME\etc]
#poll every 10 minutes
pollPeriod = 600
#generate audit events into the audit index, instead of fschange events
signedaudit=true
recurse=true
followLinks=false
hashMaxSize=-1
fullEvent=false
sendEventMaxSize=-1
filesPerDelay = 10
delayInMills = 100

[udp]
connection_host=ip

[tcp]
acceptFrom=*
connection_host=dns

[splunktcp]
route=has_key:_replicationBucketUUID:replicationQueue;has_key:_dstrx:typingQueue;has_key:_linebreaker:indexQueue;absent_key:_linebreaker:parsingQueue
acceptFrom=*
connection_host=ip

[script]
interval = 60.0

[SSL]
# default cipher suites that splunk allows. Change this if you wish to increase the security 
# of SSL connections, or to lower it if you having trouble connecting to splunk.
cipherSuite = ALL:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM


[script://$SPLUNK_HOME\bin\scripts\splunk-wmi.path]
disabled = 0
interval = 10000000
source = wmi
sourcetype = wmi
queue = winparsing
persistentQueueSize=200MB

[script://$SPLUNK_HOME\bin\scripts\splunk-regmon.path]
disabled = 0
interval = 10000000
source = WinRegistry 
sourcetype=WinRegistry
queue = winparsing
persistentQueueSize=50MB

[script://$SPLUNK_HOME\bin\scripts\splunk-admon.path]
interval = 10000000
source = ActiveDirectory
sourcetype = ActiveDirectory
disabled = 0
queue = winparsing
persistentQueueSize=50MB

[WinEventLog:Application]
disabled = 1
start_from = oldest
current_only = 0
checkpointInterval = 5

[WinEventLog:Security]
disabled = 1
start_from = oldest
current_only = 0
evt_resolve_ad_obj = 1
checkpointInterval = 5

[WinEventLog:Setup]
disabled = 1
start_from = oldest
current_only = 0
checkpointInterval = 5

[WinEventLog:System]
disabled = 1
start_from = oldest
current_only = 0
checkpointInterval = 5

[WinEventLog:ForwardedEvents]
disabled = 1
start_from = oldest
current_only = 0
checkpointInterval = 5

[WinEventLog:HardwareEvents]
disabled = 1
start_from = oldest
current_only = 0
checkpointInterval = 5

[WinEventLog:Internet Explorer]
disabled = 1
start_from = oldest
current_only = 0
checkpointInterval = 5


Any help would be appreciated 
&lt;/CODE&gt;&lt;/PRE&gt;</description>
      <pubDate>Wed, 03 Jul 2013 11:52:41 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/TcpOutputProc-Connection-to-closed-Connection-closed-by-server/m-p/83483#M17353</guid>
      <dc:creator>foewar</dc:creator>
      <dc:date>2013-07-03T11:52:41Z</dc:date>
    </item>
    <item>
      <title>Re: TcpOutputProc Connection to ...... closed. Connection closed by server</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/TcpOutputProc-Connection-to-closed-Connection-closed-by-server/m-p/83484#M17354</link>
      <description>&lt;P&gt;You should check in your indexers splunkd.log and metrics.log to see what is going on with your indexer. Can't tell much from looking at one side of the issue.&lt;/P&gt;

&lt;P&gt;If you still don't get enough info you can crank up the logging on both sides to get more detail.&lt;/P&gt;

&lt;P&gt;method of increasing logging on inputs and outputs: &lt;A href="http://blogs.splunk.com/2008/09/22/enabling-debug-messages/"&gt;http://blogs.splunk.com/2008/09/22/enabling-debug-messages/&lt;/A&gt;&lt;/P&gt;</description>
      <pubDate>Wed, 03 Jul 2013 13:45:21 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/TcpOutputProc-Connection-to-closed-Connection-closed-by-server/m-p/83484#M17354</guid>
      <dc:creator>phoffman_splunk</dc:creator>
      <dc:date>2013-07-03T13:45:21Z</dc:date>
    </item>
    <item>
      <title>Re: TcpOutputProc Connection to ...... closed. Connection closed by server</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/TcpOutputProc-Connection-to-closed-Connection-closed-by-server/m-p/83485#M17355</link>
      <description>&lt;P&gt;I've encountered similar issue with slightly different logs as follows:&lt;/P&gt;

&lt;P&gt;11-26-2013 23:03:58.619 +0000 WARN  TcpOutputProc - Shutdown timed out for 107.22.10.147:9997&lt;BR /&gt;
11-26-2013 23:04:28.607 +0000 WARN  TcpOutputProc - Raw connection to ip=107.22.10.147:9997 timed out&lt;BR /&gt;
11-26-2013 23:04:28.607 +0000 INFO  TcpOutputProc - Detected connection to 107.22.10.147:9997 closed&lt;BR /&gt;
11-26-2013 23:04:28.607 +0000 INFO  TcpOutputProc - Will close stream to current indexer 107.22.10.147:9997&lt;BR /&gt;
11-26-2013 23:04:28.607 +0000 INFO  TcpOutputProc - Closing stream for idx=107.22.10.147:9997&lt;BR /&gt;
11-26-2013 23:04:58.929 +0000 WARN  TcpOutputProc - Cooked connection to ip=107.20.29.58:9997 timed out&lt;BR /&gt;
11-26-2013 23:05:18.931 +0000 WARN  TcpOutputProc - Cooked connection to ip=23.23.14.246:9997 timed out&lt;BR /&gt;
11-26-2013 23:05:38.931 +0000 WARN  TcpOutputProc - Cooked connection to ip=107.22.148.176:9997 timed out&lt;BR /&gt;
11-26-2013 23:05:58.933 +0000 WARN  TcpOutputProc - Cooked connection to ip=54.243.3.115:9997 timed out&lt;BR /&gt;
11-26-2013 23:06:18.936 +0000 WARN  TcpOutputProc - Cooked connection to ip=50.17.56.245:9997 timed out&lt;BR /&gt;
11-26-2013 23:06:20.068 +0000 INFO  TcpOutputProc - Connected to idx=54.224.46.188:9997 using ACK.&lt;BR /&gt;
11-26-2013 23:06:58.937 +0000 WARN  TcpOutputProc - Cooked connection to ip=23.22.208.232:9997 timed out&lt;BR /&gt;
11-26-2013 23:07:18.940 +0000 WARN  TcpOutputProc - Cooked connection to ip=107.20.29.58:9997 timed out&lt;BR /&gt;
11-26-2013 23:07:20.942 +0000 INFO  TcpOutputProc - Connected to idx=23.20.94.208:9997 using ACK.&lt;BR /&gt;
11-26-2013 23:07:28.600 +0000 WARN  TcpOutputProc - Shutdown timed out for 23.23.14.246:9997&lt;BR /&gt;
11-26-2013 23:07:40.590 +0000 INFO  TcpOutputProc - Connected to idx=54.224.135.13:9997 using ACK.&lt;/P&gt;

&lt;P&gt;If I'm using splunk&amp;gt;storm then I won't be able to see indexers splunkd.log and metrics.log to see what is going on with the indexer, right? If so, where do I go from here?&lt;/P&gt;

&lt;P&gt;My setup is as follows:&lt;BR /&gt;
webserver nodes-&amp;gt;splunkforwarder-&amp;gt;splunkstorm&lt;/P&gt;

&lt;P&gt;Both webserver nodes and splunkforwarder shows active forwards.&lt;/P&gt;

&lt;P&gt;Any help is greatly appreciated.&lt;BR /&gt;
Thank you.&lt;/P&gt;</description>
      <pubDate>Tue, 26 Nov 2013 23:18:25 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/TcpOutputProc-Connection-to-closed-Connection-closed-by-server/m-p/83485#M17355</guid>
      <dc:creator>imagineer411</dc:creator>
      <dc:date>2013-11-26T23:18:25Z</dc:date>
    </item>
    <item>
      <title>Re: TcpOutputProc Connection to ...... closed. Connection closed by server</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/TcpOutputProc-Connection-to-closed-Connection-closed-by-server/m-p/83486#M17356</link>
      <description>&lt;P&gt;When you search for data from this host, are you getting data from this host?&lt;/P&gt;</description>
      <pubDate>Wed, 27 Nov 2013 01:31:56 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/TcpOutputProc-Connection-to-closed-Connection-closed-by-server/m-p/83486#M17356</guid>
      <dc:creator>lukejadamec</dc:creator>
      <dc:date>2013-11-27T01:31:56Z</dc:date>
    </item>
    <item>
      <title>Re: TcpOutputProc Connection to ...... closed. Connection closed by server</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/TcpOutputProc-Connection-to-closed-Connection-closed-by-server/m-p/83487#M17357</link>
      <description>&lt;P&gt;You can search the _internal index to see your splunkd and metrics logs.  If you want anyone in particular,...  index=_internal source=*metrics.log&lt;/P&gt;</description>
      <pubDate>Mon, 28 Sep 2020 15:22:32 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/TcpOutputProc-Connection-to-closed-Connection-closed-by-server/m-p/83487#M17357</guid>
      <dc:creator>phoffman_splunk</dc:creator>
      <dc:date>2020-09-28T15:22:32Z</dc:date>
    </item>
    <item>
      <title>Re: TcpOutputProc Connection to ...... closed. Connection closed by server</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/TcpOutputProc-Connection-to-closed-Connection-closed-by-server/m-p/83488#M17358</link>
      <description>&lt;P&gt;had the same problem, couldnt connect to indexer&lt;BR /&gt;
in windows for universal forwarder installation ( 5.0.4) please check the files in:&lt;BR /&gt;
path /SplunkUniversalForwarder/etc/system/local &lt;BR /&gt;
replace the  config files under  with those from:&lt;BR /&gt;
path /SplunkUniversalForwarder/ etc/ apps/Windows /local &lt;BR /&gt;
restart splunkforwarder:&lt;BR /&gt;
splunk restart&lt;/P&gt;

&lt;P&gt;it should get connected&lt;BR /&gt;
in splunk host i can see the forwarder has been connected and it has send logs. i had activated some advanced audit features.&lt;/P&gt;</description>
      <pubDate>Tue, 24 Dec 2013 10:20:44 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/TcpOutputProc-Connection-to-closed-Connection-closed-by-server/m-p/83488#M17358</guid>
      <dc:creator>Akili</dc:creator>
      <dc:date>2013-12-24T10:20:44Z</dc:date>
    </item>
  </channel>
</rss>

