Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

ERROR TcpInputProc - Message rejected. Received unexpected message of size=369296128 bytes for syslogs

kundanshekhx
Explorer
‎08-25-2020 07:10 AM

Hi, 

I am trying to inboard a new Syslog coming from a Syslog ng server but data is not indexing.

Getting the below error in the internal logs in SH.

ERROR TcpInputProc - Message rejected. Received unexpected message of size=369296128 bytes from src=xx.xx.xx.xx:xxxxx in streaming mode. Maximum message size allowed=67108864. (::) Possible invalid source sending data to splunktcp port or valid source sending unsupported payload.

Below is the path I have set for the incoming logs.

Syslog-ng server > Universal Forwarder(TCP port) > Indexer

Below are the configurations set at the forwarder end:

inputs.conf
[tcp://xxxxx]
sourcetype=syslog
index = Index_name
disabled=false

outputs.conf
[tcpout]
defaultGroup = ABC
maxQueueSize = 7MB
useACK = true

[tcpout:ABC]
server = index_server1:42000, index_server2:42000, index_server3:42000

# SSL SETTINGS
sslCertPath = $SPLUNK_HOME/etc/auth/server.pem
sslRootCAPath = $SPLUNK_HOME/etc/auth/ca.pem
sslPassword = xxxx
sslVerifyServerCert = true

 

After the issue, I have tried to resolve it by setting the value of bucketRebuildMemoryHint to auto and manually both in the indexes.conf but it didn't work.

indexes.conf

[default]

bucketRebuildMemoryHint = 569366123.

 

Can anyone please advise me on this?  Please let me know in case I am missing any information I missed to share which might help in reaching out to the solution.

 

Thanks in Advance 🙂 

 

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎08-25-2020 07:42 AM

Is this error message from your indexer or UF?

btw. when you are using useAck then maxQueueSize is automatic 7MB.

Do you know how big the message which are coming from syslog-ng is?

Does this maybe the reason? You have put some SSL configs on UF , but are indexers expecting SSL?

https://community.splunk.com/t5/Getting-Data-In/quot-ERROR-TcpInputProc-Message-rejected-quot-error-...

r. Ismo

0 Karma
Reply

kundanshekhx
Explorer
‎08-25-2020 08:17 AM

Hi R.Ismo,

Thanks for the reply.

The error message is from the indexer.

As per the error message, the size of the incoming message is 369296128  bytes that turn around 352 MB.

SSL is working fine as we have logs from the other data sources coming to indexers through the same UF. 

This is the first time we are trying to inboard the Syslogs using TCP port. 

 

Thanks,

Kundan

0 Karma
Reply

Vamsikrishna
New Member
‎11-23-2024 01:45 AM

Hi  @kundanshekhx 

Did you fix this issue?

If yes, Please let me know how you fixed.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎11-23-2024 02:19 AM

@VamsikrishnaThis is a rather old thread and the thread author's last activity on the forum is about 3 years ago so it's relatively unlikely you'll get answer from them.

To the main point - I'd guess that for one reason or another the forwarders fails to break the input stream into small enough chunks before sending it downstream.

0 Karma
Reply
Get Updates on the Splunk Community!

Fall Into Learning with New Splunk Education Courses

Every month, Splunk Education releases new courses to help you branch out, strengthen your data science roots, ...

Super Optimize your Splunk Stats Searches: Unlocking the Power of tstats, TERM, and ...

By Martin Hettervik, Senior Consultant and Team Leader at Accelerate at Iver, Splunk MVPThe stats command is ...

How Splunk Observability Cloud Prevented a Major Payment Crisis in Minutes

Your bank's payment processing system is humming along during a busy afternoon, handling millions in hourly ...