https://community.splunk.com/t5/Getting-Data-In/ERROR-TcpInputProc-Message-rejected-Received-unexpected/m-p/204191#M40297 <P>yes clearly a misunderstanding (in my case) of how heavy (intermediate) forwarders should deal with their input data</P> Thu, 04 Aug 2016 05:16:28 GMT lauMarot 2016-08-04T05:16:28Z https://community.splunk.com/t5/Getting-Data-In/ERROR-TcpInputProc-Message-rejected-Received-unexpected/m-p/204188#M40294 <P>Hello,</P> <P>problem on splunk enterprise 6.4.2</P> <P>I've just set up an intermediate (heavy) splunk 6.4 forwarder between my syslog-ng server and my indexer. This heavy forwarder is supposed to help me filtering F5 BigIP logs</P> <P>1 - Receiving was set up on Indexer to listen on port 5141 (not 9997 default port) usin web Gui (then i double check that the stanza is ok in inputs.conf)</P> <P>2 - Forwarding was activated from forwarder using web Gui (menu "Forwarding ans Receiving / Forward data") adding "xxx.xxx.xxx.xxx:5141" where xxx.xxx.xxx.xxx is the IP of my indexer</P> <P>3 - log Stream can be displayed on idexer using tcpdump</P> <P>4 - no data is collected in any index and the error " ERROR TcpInputProc - Message rejected. Received unexpected 1009858864" is thrown</P> <P>What could be wrong ?</P> Wed, 03 Aug 2016 12:47:14 GMT https://community.splunk.com/t5/Getting-Data-In/ERROR-TcpInputProc-Message-rejected-Received-unexpected/m-p/204188#M40294 lauMarot 2016-08-03T12:47:14Z https://community.splunk.com/t5/Getting-Data-In/ERROR-TcpInputProc-Message-rejected-Received-unexpected/m-p/204189#M40295 <P>just one dumb thing I forgot to mention : I used to think It was possible to grab the Syslog stream of my device in my Forwarder directly through TCP receiver of my Forwarder (see the screenshot)<span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/1673iF858273AB340FAD5/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> Wed, 03 Aug 2016 20:00:54 GMT https://community.splunk.com/t5/Getting-Data-In/ERROR-TcpInputProc-Message-rejected-Received-unexpected/m-p/204189#M40295 lauMarot 2016-08-03T20:00:54Z https://community.splunk.com/t5/Getting-Data-In/ERROR-TcpInputProc-Message-rejected-Received-unexpected/m-p/204190#M40296 <P>A similar case at <A href="https://answers.splunk.com/answers/194810/62-forwarder-configuration-on-linux-why-am-i-getti.html">6.2 Forwarder Configuration on Linux: Why am I getting error "TcpInputProc - Message rejected. Received unexpected 369295616 byte message!" in server's splunkd.log?</A></P> <P>It ended up being a misconfiguration - </P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/1674i4DD8B7466A9DEEC3/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> Wed, 03 Aug 2016 20:27:00 GMT https://community.splunk.com/t5/Getting-Data-In/ERROR-TcpInputProc-Message-rejected-Received-unexpected/m-p/204190#M40296 ddrillic 2016-08-03T20:27:00Z https://community.splunk.com/t5/Getting-Data-In/ERROR-TcpInputProc-Message-rejected-Received-unexpected/m-p/204191#M40297 <P>yes clearly a misunderstanding (in my case) of how heavy (intermediate) forwarders should deal with their input data</P> Thu, 04 Aug 2016 05:16:28 GMT https://community.splunk.com/t5/Getting-Data-In/ERROR-TcpInputProc-Message-rejected-Received-unexpected/m-p/204191#M40297 lauMarot 2016-08-04T05:16:28Z https://community.splunk.com/t5/Getting-Data-In/ERROR-TcpInputProc-Message-rejected-Received-unexpected/m-p/204192#M40298 <P>Hi Laurent,</P> <P>The fwd (whatever version) can receive syslog streams, as any other fwd.<BR /> keep in mind that if you do not need any functions from the Heavy fwd (web interface, advanced filtering), you should use the Universal fwd (even to act as a relay). </P> Fri, 05 Aug 2016 07:27:50 GMT https://community.splunk.com/t5/Getting-Data-In/ERROR-TcpInputProc-Message-rejected-Received-unexpected/m-p/204192#M40298 mdessus_splunk 2016-08-05T07:27:50Z https://community.splunk.com/t5/Getting-Data-In/ERROR-TcpInputProc-Message-rejected-Received-unexpected/m-p/204193#M40299 <P>yeap ! Understood ! But receiving must be set from "Data inputs » UDP " and not "Forwarding and receiving » Receive data » Add new " (my mistake) <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Fri, 05 Aug 2016 07:42:07 GMT https://community.splunk.com/t5/Getting-Data-In/ERROR-TcpInputProc-Message-rejected-Received-unexpected/m-p/204193#M40299 lauMarot 2016-08-05T07:42:07Z