Dear Splunkers,
Can you please assist with following problem:
We have more 20 UF's installed on windows machines, all of them have deployment server set, and were visible in Forwarder Management. But in some time all of them disappeared from FM and are appearing from time to time there.
I have tried to delete $SPLUNK_HOME/etc/instance.cfg on several forwarders and restarted them but problem was not fixed.
Any ideas how to fix it and what can cause such strange behavior?
Regards,
Eugene
Thank you all for help. The problem was in SSL keys. I don't know what happened and how did they connect for the first time, but after I have created new keys and published to forwarders - problem disappeared.
BTW: no error in logs regarding SSL/
Versions are the same.
btool and show deploy-poll show correct values.
telnet - clarifying with client, cause do not have access to endpoints where forwarders are installed.
and clients are in the same subnet, no VPN is used.
You should try from UF side to DS curl/telnet. All traffic between those are initiated by DC not DS!
curl -vkI https://<Your DS fqdn>:8089
Above command show HEAD part of response with debug information.
For security reason it's good to disable 8089 (management) port on UF unless you are regularly using it from scripts etc. on UF side.
How about host based firewalls?
r. Ismo
I mean only one