https://community.splunk.com/t5/Installation/UF-communication-over-the-deployment-server/m-p/669741#M13427 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/254391">@MayurMangoli</a>&nbsp;,</P><P>good for you, see next time!</P><P>let me know if I can help you more, or, please, accept one answer for the other people of Community.</P><P>Ciao and happy splunking</P><P>Giuseppe</P><P>P.S.: Karma Points are appreciated <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Sun, 26 Nov 2023 15:07:25 GMT gcusello 2023-11-26T15:07:25Z https://community.splunk.com/t5/Installation/UF-communication-over-the-deployment-server/m-p/669282#M13406 <P><STRONG>i have installed the deployment server where configured required inputs.conf&nbsp;and outputs.conf for ingesting logs from UF to my indexer&nbsp; on the deployment-app of deployment server, and configured the UF forwarder to the deployment server, i found the new host details in the deployment server under the forward management tab. And pointed to appropriate classes and apps from the forward-management&nbsp; configuration. Still I'm not able to get the logs on the indexer.</STRONG></P><P>when i see the error on the Splunkd log of uf.</P><P><STRONG>Find the below error</STRONG></P><P>&nbsp;</P><P><STRONG>11-20-2023 17:25:40.602 +0400 ERROR X509Verify - X509 certificate (O=SplunkUser,CN=SplunkServerDefaultCert) failed validation; error=7, reason="certificate signature failure"<BR />11-20-2023 17:25:40.602 +0400 WARN SSLCommon - Received fatal SSL3 alert. ssl_state='SSLv3 read server certificate B', alert_description='decrypt error'.<BR />11-20-2023 17:25:40.602 +0400 WARN HttpPubSubConnection - Unable to parse message from PubSubSvr:<BR />11-20-2023 17:25:40.602 +0400 INFO HttpPubSubConnection - Could not obtain connection, will retry after=86.429 seconds.<BR />11-20-2023 17:25:40.778 +0400 INFO WatchedFile - Will begin reading at offset=2295058 for file='/var/log/audit/audit.log'.<BR />11-20-2023 17:25:46.129 +0400 INFO WatchedFile - File too small to check seekcrc, probably truncated. Will re-read entire file='/var/log/anaconda/ks-script-lk6ot_yw.log'.<BR />11-20-2023 17:25:46.130 +0400 INFO WatchedFile - File too small to check seekcrc, probably truncated. Will re-read entire file='/var/log/anaconda/ks-script-wo9l091q.log'.<BR />11-20-2023 17:25:49.856 +0400 INFO DC:DeploymentClient - channel=tenantService/handshake Will retry sending handshake message to DS; err=not_connected<BR />11-20-2023 17:26:01.857 +0400 INFO DC:DeploymentClient - channel=tenantService/handshake Will retry sending handshake message to DS; err=not_connected<BR />11-20-2023 17:26:07.910 +0400 INFO ScheduledViewsReaper - Scheduled views reaper run complete. Reaped count=0 scheduled views<BR />11-20-2023 17:26:07.914 +0400 INFO TcpOutputProc - Removing quarantine from idx=192.168.1.5:9997<BR />11-20-2023 17:26:07.914 +0400 INFO TcpOutputProc - Removing quarantine from idx=192.168.1.6:9997<BR />11-20-2023 17:26:07.921 +0400 ERROR TcpOutputFd - Read error. Connection reset by peer<BR />11-20-2023 17:26:07.928 +0400 ERROR TcpOutputFd - Read error. Connection reset by peer</STRONG></P> Tue, 21 Nov 2023 04:22:38 GMT https://community.splunk.com/t5/Installation/UF-communication-over-the-deployment-server/m-p/669282#M13406 MayurMangoli 2023-11-21T04:22:38Z https://community.splunk.com/t5/Installation/UF-communication-over-the-deployment-server/m-p/669298#M13407 <P>Hi <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/254391">@MayurMangoli</a>&nbsp;,</P><P>did you configured your Indexers to receive encrypted logs?</P><P>It seems that you forgot to add the correct configuration in the outputs.conf that you deployed to your UFs.</P><P>For more infos see at&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/8.2.12/Security/Aboutsecuringdatafromforwarders" target="_blank">https://docs.splunk.com/Documentation/Splunk/8.2.12/Security/Aboutsecuringdatafromforwarders</A>&nbsp;</P><P>Ciao.</P><P>Giuseppe</P> Tue, 21 Nov 2023 07:40:40 GMT https://community.splunk.com/t5/Installation/UF-communication-over-the-deployment-server/m-p/669298#M13407 gcusello 2023-11-21T07:40:40Z https://community.splunk.com/t5/Installation/UF-communication-over-the-deployment-server/m-p/669738#M13424 <P>Thanks&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/161352">@gcusello</a>&nbsp;,</P><P>&nbsp;i just checked the configuration, and seems after changing the syanza, it worked and started connecting.</P> Sun, 26 Nov 2023 14:28:53 GMT https://community.splunk.com/t5/Installation/UF-communication-over-the-deployment-server/m-p/669738#M13424 MayurMangoli 2023-11-26T14:28:53Z https://community.splunk.com/t5/Installation/UF-communication-over-the-deployment-server/m-p/669741#M13427 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/254391">@MayurMangoli</a>&nbsp;,</P><P>good for you, see next time!</P><P>let me know if I can help you more, or, please, accept one answer for the other people of Community.</P><P>Ciao and happy splunking</P><P>Giuseppe</P><P>P.S.: Karma Points are appreciated <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Sun, 26 Nov 2023 15:07:25 GMT https://community.splunk.com/t5/Installation/UF-communication-over-the-deployment-server/m-p/669741#M13427 gcusello 2023-11-26T15:07:25Z