- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Errors on OPSEC LEA Forwarder
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Errors on OPSEC LEA Forwarder
Hi,
I have a heavy forwarder running the OPSEC LEA Add-on (version 3.1) and collecting logs from a Provider-1 with about 100 CMAs.
Load is rather high on the forwarder (~ 10-18) and In splunkd.log on the forwarder, there are a lot of messages like:
03-10-2016 12:05:42.812 +0100 WARN HttpListener - Socket error from 127.0.0.1 while accessing /servicesNS/nobody/Splunk_TA_opseclea_linux22/configs/conf-opsec-entity-health/clm_xxxx: Broken pipe
03-10-2016 12:05:43.982 +0100 WARN ConfMetrics - single_action=ACQUIRE_MUTEX took wallclock_ms=103963
[...]
03-10-2016 14:10:38.100 +0100 WARN ConfMetrics - single_action=ACQUIRE_MUTEX took wallclock_ms=139931
03-10-2016 14:10:38.865 +0100 WARN ConfMetrics - single_action=ACQUIRE_MUTEX took wallclock_ms=140866
03-10-2016 14:10:39.624 +0100 WARN ConfMetrics - single_action=ACQUIRE_MUTEX took wallclock_ms=141386
03-10-2016 14:10:40.389 +0100 WARN ConfMetrics - single_action=ACQUIRE_MUTEX took wallclock_ms=137119
These logs are repeating every second.
Can someone tell me what these warnings mean and whether they can be turned off?
Thanks a lot.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-10-2016 12:05:42.812 +0100 WARN HttpListener - Socket error from 127.0.0.1 while accessing /servicesNS/nobody/Splunk_TA_opseclea_linux22/configs/conf-opsec-entity-health/clm_xxxx: Broken pipe
This indicates that you are maxing out your threads on the server.conf:
maxThreads = <int>
* Number of threads that can be used by active HTTP transactions.
This can be limited to constrain resource usage.
* If set to 0 (the default) a limit will be automatically picked
based on estimated server capacity.
* If set to a negative number, no limit will be enforced.
maxSockets = <int>
* Number of simultaneous HTTP connections that we'll accept simultaneously.
This can be limited to constrain resource usage.
* If set to 0 (the default) a limit will be automatically picked
based on estimated server capacity.
* If set to a negative number, no limit will be enforced.
The other error is indicative that a bundle being pushed to the server is taking longer than Splunk's preferred threshold.
Honestly, with 100 CMAs.. you should NOT have it all on one dedicated HF -- unless each has barely any activity in which case why do you even have 100 CMAs? In my current environment we had to load balance 14 CMAs across 3 HFs dedicated purely to Opsec, otherwise we lose massive amounts of packets and have performance issues.
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
