HI Team, I have opened the ports to the heavyforwarder from the UF. The ports are opened from UF to HF, but not the other way around. Getting the below message, when receiving the data.
curl: (56) Failure when receiving data from the peer
./splunk list forward-server
Configured but inactive forwards:
Messages in output of splunkd.log
Indexer uri xx.x.xxx.xxx:8201, client refCount=0, client=NULL
DEBUG TcpOutputProc - Found quarantined idx=xx.x.xxx.xxx:8201 . skipping over it.
DEBUG TcpOutputProc - Looking for indexer...
DEBUG TcpOutputProc - Cannot find any valid descriptors when looking for new indexer.
DEBUG TcpOutputProc - Connection not available. Waiting for connection ...
DEBUG TcpOutputProc - channel not registered yet
Can you please suggest , what might be the issue that I am not able to connect to the HF?
Also, should we have a two way connection b/w the UF and HF?
validate that the connection is open. On the forwarder side do this
./splunk cmd openssl s_client -connect <ip>:<port> -showcerts
if the connection is good you should see connected and if you're using ssl you'll the HF cert details
8201 is your receiving port in the indexer?
can you post your inputs conf from the indexer?
/opt/splunk/bin/splunk btool inputs list --debug splunktcp | grep -v system/default
you should get something like this for a non ssl port:
CONNECTED(00000003) write:errno=0 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 176 bytes Verification: OK --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: PSK identity: None PSK identity hint: None SRP username: None Start Time: 1566926525 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: no ---
On Linux, 104 is ECONNRESET for "Connection reset by peer" – in other words, the connection was forcibly closed with a TCP RST packet, either sent out by the server or spoofed by an intermediary.