Archive
Highlighted

Strange warning message, issues Splunking Active Directory

Explorer

Having issues receiving data from my AD,
Firewall is set to allow 9997 and 8089 TCP/UDP Outbound and Inbound

I get the below Error and warning in my splunkd.log

11-06-2013 06:59:02.526 +1300 ERROR TcpOutputFd - Resurrect failure
11-06-2013 06:59:02.994 +1300 WARN TcpOutputProc - Connected to idx=10.21.12.195:9997. Not using ACK.

0 Karma
Highlighted

Re: Strange warning message, issues Splunking Active Directory

Path Finder

Looks like a network issue, check these things:

  1. That port 9997 is not being used by another application.
  2. the local firewall settings on the AD are set up properly. e.g. iptables
  3. Splunk versions are compatible between indexer and forwarder

I would also do a packet trace on both the splunk server and the AD machine to confirm that there's no packet loss or strange behaviour from the AD. You can compare it to a packet trace on a machine that works properly to see if there's any discrepancies.

View solution in original post

0 Karma
Highlighted

Re: Strange warning message, issues Splunking Active Directory

Explorer

Issue was due to Forwarder being 5.0 and Indexer being 6.0, thanks, should have noticed that one :S

0 Karma