Deployment Architecture

Why has my universal forwarder stopped sending logs to my indexer after version upgrade?

Path Finder

Hi Splunkers,

My indexers are running Splunk Enterprise v6.5.3. I recently upgraded a "test" Universal Forwarder in my environment to v6.6.5, and I'm no longer getting logs going to my indexers from this "test" UF after the upgrade.

I'm seeing a bunch of these errors before the logs stopped: WARN SSLCommon - Received fatal SSL3 alert. ssl_state='SSLv3 read server hello A', alert_description='handshake failure'.

Is this an SSL or cipherSuite incompatibility issue between the two different versions of Splunk? Is there a workaround to get the test forwarder sending logs again, or do I have no choice but to either 1. downgrade the forwarder -OR- 2. upgrade my indexers?

Thank you!

Tags (1)


You have to disable the SSLv3 Support on the Forwarder in the local/server.conf.

sslKeysfilePassword = <your_password>
cipherSuite = TLSv1.2:!eNULL:!aNULL

Then it should work again.

0 Karma


Points for upgrading a test forwarder first!

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Customer Survey!

If you use Splunk Observability Cloud, we invite you to share your valuable insights with us through a brief ...

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas

We’re excited to announce a new Splunk certification exam being released at .conf23! If you’re going to Las ...

Starting With Observability: OpenTelemetry Best Practices

Tech Talk Starting With Observability: OpenTelemetry Best Practices Tuesday, October 17, 2023   |  11AM PST / ...