Deployment Architecture

Why has my universal forwarder stopped sending logs to my indexer after version upgrade?

vanderaj2
Path Finder

Hi Splunkers,

My indexers are running Splunk Enterprise v6.5.3. I recently upgraded a "test" Universal Forwarder in my environment to v6.6.5, and I'm no longer getting logs going to my indexers from this "test" UF after the upgrade.

I'm seeing a bunch of these errors before the logs stopped: WARN SSLCommon - Received fatal SSL3 alert. ssl_state='SSLv3 read server hello A', alert_description='handshake failure'.

Is this an SSL or cipherSuite incompatibility issue between the two different versions of Splunk? Is there a workaround to get the test forwarder sending logs again, or do I have no choice but to either 1. downgrade the forwarder -OR- 2. upgrade my indexers?

Thank you!

Tags (1)

Elsurion
Communicator

You have to disable the SSLv3 Support on the Forwarder in the local/server.conf.

[sslConfig]
sslKeysfilePassword = <your_password>
sslVersions=*,-ssl2,-ssl3
cipherSuite = TLSv1.2:!eNULL:!aNULL

Then it should work again.

0 Karma

micahkemp
Champion

Points for upgrading a test forwarder first!

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...