topic Re: Strange warning message, issues Splunking Active Directory in Monitoring Splunk

Strange warning message, issues Splunking Active Directory

samlaw — Tue, 05 Nov 2013 19:02:51 GMT

Having issues receiving data from my AD,
Firewall is set to allow 9997 and 8089 TCP/UDP Outbound and Inbound

I get the below Error and warning in my splunkd.log

11-06-2013 06:59:02.526 +1300 ERROR TcpOutputFd - Resurrect failure
11-06-2013 06:59:02.994 +1300 WARN TcpOutputProc - Connected to idx=10.21.12.195:9997. Not using ACK.

Re: Strange warning message, issues Splunking Active Directory

yong_ly — Tue, 05 Nov 2013 21:25:53 GMT

Looks like a network issue, check these things:

That port 9997 is not being used by another application.
the local firewall settings on the AD are set up properly. e.g. iptables
Splunk versions are compatible between indexer and forwarder

I would also do a packet trace on both the splunk server and the AD machine to confirm that there's no packet loss or strange behaviour from the AD. You can compare it to a packet trace on a machine that works properly to see if there's any discrepancies.

Re: Strange warning message, issues Splunking Active Directory

samlaw — Wed, 06 Nov 2013 01:09:18 GMT

Issue was due to Forwarder being 5.0 and Indexer being 6.0, thanks, should have noticed that one :S