Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why has my universal forwarder stopped sending logs to my indexer after version upgrade?

vanderaj2
Path Finder
‎02-14-2018 01:57 PM

Hi Splunkers,

My indexers are running Splunk Enterprise v6.5.3. I recently upgraded a "test" Universal Forwarder in my environment to v6.6.5, and I'm no longer getting logs going to my indexers from this "test" UF after the upgrade.

I'm seeing a bunch of these errors before the logs stopped: WARN SSLCommon - Received fatal SSL3 alert. ssl_state='SSLv3 read server hello A', alert_description='handshake failure'.

Is this an SSL or cipherSuite incompatibility issue between the two different versions of Splunk? Is there a workaround to get the test forwarder sending logs again, or do I have no choice but to either 1. downgrade the forwarder -OR- 2. upgrade my indexers?

Thank you!

Tags (1)
Reply

Elsurion
Communicator
‎02-14-2018 10:52 PM

You have to disable the SSLv3 Support on the Forwarder in the local/server.conf.

[sslConfig]
sslKeysfilePassword = <your_password>
sslVersions=*,-ssl2,-ssl3
cipherSuite = TLSv1.2:!eNULL:!aNULL

Then it should work again.

0 Karma
Reply

micahkemp
Champion
‎02-14-2018 02:03 PM

Points for upgrading a test forwarder first!

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud | Customer Survey!

If you use Splunk Observability Cloud, we invite you to share your valuable insights with us through a brief ...

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas

We’re excited to announce a new Splunk certification exam being released at .conf23! If you’re going to Las ...

Starting With Observability: OpenTelemetry Best Practices

Tech Talk Starting With Observability: OpenTelemetry Best Practices Tuesday, October 17, 2023   |  11AM PST / ...