Deployment Architecture

Why has my universal forwarder stopped sending logs to my indexer after version upgrade?

Path Finder

Hi Splunkers,

My indexers are running Splunk Enterprise v6.5.3. I recently upgraded a "test" Universal Forwarder in my environment to v6.6.5, and I'm no longer getting logs going to my indexers from this "test" UF after the upgrade.

I'm seeing a bunch of these errors before the logs stopped: WARN SSLCommon - Received fatal SSL3 alert. ssl_state='SSLv3 read server hello A', alert_description='handshake failure'.

Is this an SSL or cipherSuite incompatibility issue between the two different versions of Splunk? Is there a workaround to get the test forwarder sending logs again, or do I have no choice but to either 1. downgrade the forwarder -OR- 2. upgrade my indexers?

Thank you!

Tags (1)


You have to disable the SSLv3 Support on the Forwarder in the local/server.conf.

sslKeysfilePassword = <your_password>
cipherSuite = TLSv1.2:!eNULL:!aNULL

Then it should work again.

0 Karma


Points for upgrading a test forwarder first!

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!