Getting Data In

Forwarder doest send events to Indexer after SSL activated. "ERROR pipeline"

fernandoandre
Communicator

I have one Indexer (IDX) receiving data from one Heavy Forwarder (HF).

I configured SSL in both of them and now the Heavy Forwarder is not sending data to the Indexer. However the TCP connection is established between them when doing $ netstat -an.

I activated debug messages to appear on logs and I have the following error in "splunkd.log":

04-19-2012 09:51:10.129 +0100 ERROR pipeline - Runtime exception in pipeline: indexerPipe, processor: tcp-output-generic-processor, error: vector::_M_range_check

04-19-2012 09:51:10.129 +0100 ERROR splunklogger - Uncaught exception in pipeline execution (tcp-output-generic-processor) - getting next event

04-19-2012 09:51:11.010 +0100 DEBUG TcpOutputProc - Returning from sendPipelineData. No data available. here

My configurations are similar to the ones here:

http://wiki.splunk.com/Community:Splunk2Splunk_SSL_DefaultCerts

Thank you in advance

0 Karma
1 Solution

fernandoandre
Communicator

Problem solved!

It turns out the configuration at inputs.conf:

_TCP_ROUTING = server_port

didn't match with the configuration at outputs.conf:

_TCP_ROUTING = splunkssl

It was just a matter of setting that right by putting everything alike int both files.

View solution in original post

fernandoandre
Communicator

Problem solved!

It turns out the configuration at inputs.conf:

_TCP_ROUTING = server_port

didn't match with the configuration at outputs.conf:

_TCP_ROUTING = splunkssl

It was just a matter of setting that right by putting everything alike int both files.

fernandoandre
Communicator

Hi rgill90, only saw your message today.
I have one example as follows:

Inputs.conf
[splunktcp://:9997]
connection_host = ip
_TCP_ROUTING = splunkssl

Outputs.conf
[tcpout]
defaultGroup = splunkssl

[tcpout:splunkssl]
compressed = true
server = :9997
sslCertPath = ...
sslPassword = ...
sslRootCAPath = ...
sslVerifyServerCert = true

As you can see, the attribute value at inputs.conf of _TCP_ROUTING is splunkssl and at the outputs you must have that same name at tcpout.
Naturally you can give any name you want (no need to be "splunkssl" but they must match in both files)

0 Karma

rgill90
New Member

hi is there any chance of any more detail on this? i've exactly the same problem but don't understand that resolution posted above? thanks in advance (and in anticipation)

0 Karma
Get Updates on the Splunk Community!

Devesh Logendran, Splunk, and the Singapore Cyber Conquest

At this year’s Splunk University, I had the privilege of chatting with Devesh Logendran, one of the winners in ...

There's No Place Like Chrome and the Splunk Platform

WATCH NOW!Malware. Risky Extensions. Data Exfiltration. End-users are increasingly reliant on browsers to ...

Customer Experience | Join the Customer Advisory Board!

Are you ready to take your Splunk journey to the next level? 🚀 We invite you to join our elite squad ...