topic Why are my Windows system event logs not getting indexed and getting "WARN TcpOutputProc - Raw connection to ip=serverip:9997 timed out"? in Getting Data In

Why are my Windows system event logs not getting indexed and getting "WARN TcpOutputProc - Raw connection to ip=serverip:9997 timed out"?

SridharS — Tue, 15 Dec 2015 19:52:38 GMT

Hi, I need to index some Windows system event logs of a remote server (using forwarder) into Splunk. My files are as below in the path $home/etc/apps/<myappname>/local on the forwarder

inputs.conf

[winEventLog://system]
disable = 0
whitelist = 41,104
index = wineventlog

outputs.conf

[tcpout]
default = primary_indexers
[tcpout:primary_indexers]
useACK=true
server = splunkservername:9997

I restarted the forwarder. My tcp port 9997 is open, but why are the logs not getting indexed in Splunk. The last log in the splunkd was:

12-15-2015 14:45:37.097 -0500 WARN  TcpOutputProc - Raw connection to ip=serverip:9997 timed out
12-15-2015 14:45:37.097 -0500 INFO  TcpOutputProc - Ping connection to idx=serverip:9997 timed out. continuing connections
12-15-2015 14:45:37.097 -0500 INFO  TcpOutputProc - Ping connection to idx=serverip:9997 timed out. continuing connections

Re: Why are my Windows system event logs not getting indexed and getting "WARN TcpOutputProc - Raw connection to ip=serverip:9997 timed out"?

hortonew — Wed, 16 Dec 2015 07:06:53 GMT

Has it ever been able to send logs to your indexers? If not, verify that your universal fowarder can:

telnet splunkservername 9997

If that is successful, rule out slow/problematic dns resolutions by configuring your hosts file to map that server name to its IP. Report back after ruling these out. If you try both of these and there are still issues, chances are the problem is on the indexer and not your client sending data. You can also try setting connection_host=false in your inputs.conf for the 9997 stanza, making sure the indexer isn't trying to resolve the name of the forwarder.

Re: Why are my Windows system event logs not getting indexed and getting "WARN TcpOutputProc - Raw connection to ip=serverip:9997 timed out"?

SridharS — Wed, 16 Dec 2015 17:15:21 GMT

it worked when i added connection_host=false to my inputs.conf

Re: Why are my Windows system event logs not getting indexed and getting "WARN TcpOutputProc - Raw connection to ip=serverip:9997 timed out"?

goelt2000 — Tue, 29 Sep 2020 08:19:49 GMT

hi,

Whats the difference between connection_host=false and connection_host=ip.

Thanks

Re: Why are my Windows system event logs not getting indexed and getting "WARN TcpOutputProc - Raw connection to ip=serverip:9997 timed out"?

hortonew — Fri, 08 Jan 2016 13:23:23 GMT

From the docs:
connection_host = [ip|dns|none]
* "ip" sets the host to the IP address of the system sending the data.
* "dns" sets the host to the reverse DNS entry for IP address of the system
sending the data.
* "none" leaves the host as specified in inputs.conf, typically the splunk
system hostname.
* Defaults to "dns".

Re: Why are my Windows system event logs not getting indexed and getting "WARN TcpOutputProc - Raw connection to ip=serverip:9997 timed out"?

goelt2000 — Fri, 08 Jan 2016 14:36:08 GMT

none means it will leave it to be the receiver hostname?
What does connection_host=false, means?

Thanks much!

Re: Why are my Windows system event logs not getting indexed and getting "WARN TcpOutputProc - Raw connection to ip=serverip:9997 timed out"?

hortonew — Fri, 08 Jan 2016 15:17:56 GMT

None would be whatever is configured in the forwarder's inputs.conf. So if you have a universal forwarder sending data, whatever is in that universal forwarder's inputs.conf for hostname.

I'm 90% sure none and false do the same thing, but I couldn't find confirmation.