- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Forwarder doest send events to Indexer after SSL a...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have one Indexer (IDX) receiving data from one Heavy Forwarder (HF).
I configured SSL in both of them and now the Heavy Forwarder is not sending data to the Indexer. However the TCP connection is established between them when doing $ netstat -an.
I activated debug messages to appear on logs and I have the following error in "splunkd.log":
04-19-2012 09:51:10.129 +0100 ERROR pipeline - Runtime exception in pipeline: indexerPipe, processor: tcp-output-generic-processor, error: vector::_M_range_check
04-19-2012 09:51:10.129 +0100 ERROR splunklogger - Uncaught exception in pipeline execution (tcp-output-generic-processor) - getting next event
04-19-2012 09:51:11.010 +0100 DEBUG TcpOutputProc - Returning from sendPipelineData. No data available. here
My configurations are similar to the ones here:
http://wiki.splunk.com/Community:Splunk2Splunk_SSL_DefaultCerts
Thank you in advance
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Problem solved!
It turns out the configuration at inputs.conf:
_TCP_ROUTING = server_port
didn't match with the configuration at outputs.conf:
_TCP_ROUTING = splunkssl
It was just a matter of setting that right by putting everything alike int both files.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Problem solved!
It turns out the configuration at inputs.conf:
_TCP_ROUTING = server_port
didn't match with the configuration at outputs.conf:
_TCP_ROUTING = splunkssl
It was just a matter of setting that right by putting everything alike int both files.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi rgill90, only saw your message today.
I have one example as follows:
Inputs.conf
[splunktcp://:9997]
connection_host = ip
_TCP_ROUTING = splunkssl
Outputs.conf
[tcpout]
defaultGroup = splunkssl
[tcpout:splunkssl]
compressed = true
server =
sslCertPath = ...
sslPassword = ...
sslRootCAPath = ...
sslVerifyServerCert = true
As you can see, the attribute value at inputs.conf of _TCP_ROUTING is splunkssl and at the outputs you must have that same name at tcpout.
Naturally you can give any name you want (no need to be "splunkssl" but they must match in both files)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi is there any chance of any more detail on this? i've exactly the same problem but don't understand that resolution posted above? thanks in advance (and in anticipation)
Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!
Transform your security operations with Splunk Enterprise Security
Splunk Admins and App Developers | Earn a $35 gift card!
