My splunk instance is an indexer and deployment server on windows 2008
I have 2 problems :
I see in $SPLUNK_HOME/var/log/splunk/splunkd.log lots of those errors
06-14-2011 06:48:51.298 -0400 ERROR TcpInputProc - Error encountered for connection from src=10.131.83.10:3837. Winsock error 10053
I checked in MSDN, this error is a timeout of the socket :
WSAECONNABORTED 10053
Software caused connection abort.
An established connection was aborted by the software in your host computer, possibly due to a data transmission time-out or protocol error.
Is your server using WINS/NETBIOS as only name resolution protocol ?
This is a known error on windows with indexers and deployment server.
Splunk asks the server to do name resolution on the clients in order to apply the whitelist/blacklists for the deployment rules, this resolution is not occurring so the socket stays open until a timeout.
Usually this error is occurring when only WINS is used with separate networks.
Can you check in your network settings, you may need a valid DNS resolving the forwarders/deployment clients hosts names ?
A quick workaround is to populate the host file on the server with the pairs IP / hostname in
%SystemRoot%\system32\drivers\etc\hosts
This same error will be generated if you are enabling SSL communications from Universal Forwarder to Indexer, but haven't installed the root CA onto the Windows Server running the Universal Forwarder (e.g. SSL cert presented by the Indexer isn't trusted).
Is your server using WINS/NETBIOS as only name resolution protocol ?
This is a known error on windows with indexers and deployment server.
Splunk asks the server to do name resolution on the clients in order to apply the whitelist/blacklists for the deployment rules, this resolution is not occurring so the socket stays open until a timeout.
Usually this error is occurring when only WINS is used with separate networks.
Can you check in your network settings, you may need a valid DNS resolving the forwarders/deployment clients hosts names ?
A quick workaround is to populate the host file on the server with the pairs IP / hostname in
%SystemRoot%\system32\drivers\etc\hosts