Getting Data In

Error messages when I try to connect the universal forwarder

dougsummersett
New Member

Hi, I'm brand new to Splunk and been given an existing Splunk environment to manage. I need to get a universal forwarder installed on a couple servers. This environment already has several universal forwarders in place. I installed the forwarders and selected Windows Application, Security and System logs. The deployment is setup to listen on port 9997.

In the splunkd log on the forwarder server, I see these lines repeated and not sure what they mean. I'd appreciate any help and keep in mind, I'm still very new to this. Thanks!

09-28-2017 18:45:47.694 -0400 INFO DC:DeploymentClient - channel=tenantService/handshake Will retry sending handshake message to DS; err=not_connected
09-28-2017 18:45:59.695 -0400 INFO DC:DeploymentClient - channel=tenantService/handshake Will retry sending handshake message to DS; err=not_connected
09-28-2017 18:46:02.913 -0400 WARN HttpPubSubConnection - HTTP client error in http pubsub Connection closed by peer uri=https://team-splunk01:9997/services/broker/connect/A917C286-95F0-4285-9F0C-8FDE5F9C5596/TEAM-SV-FILE...
09-28-2017 18:46:02.913 -0400 WARN HttpPubSubConnection - Unable to parse message from PubSubSvr:

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi dougsummersett,
the first messages means that the new UFs cannot connect to the Deployment Server.
You can test this using telnet on the management port (usually 8089).
Did you configured Deployment Server?
If not, message isn't important.
If yes and connection is OK, check if your UF is seen by the Deployment Server.

When you say: "The deployment is setup to listen on port 9997." are you speaking of Indexer?

To debug connection with Indexers, at first test connection using telnet on 9997 port telnet team-splunk01 9997.
After configure outputs.conf on the forwarders to send logs to Indexers (I usually use Deployment Server, but it's possible to do this also manually.
When outputs.conf is Ok to send logs to indexers (and Splunk restart) check if Indexers are receiving internal logs (index=_internal host=Universal_Forwarder_hostname).

If it's OK I suggest to use Splunk_TA_Windows (eventually distributed by Deployment Server) to take Windows logs.

Bye.
Giuseppe

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Casting Call: Compete in Cyber Games

Lights, Camera, SecOps: Apply to Compete in Cyber Games     Think you have what it takes to beat the clock? ...

Data Management Digest – June 2026

Welcome to the June 2026 edition of Data Management Digest! This month’s update is short and sweet, with a ...

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

In cybersecurity, defenders respond to threats. Architects design the systems that stop them.    As ...