Getting Data In

HEC Error : Connection closed by peer

vishaltaneja070
Motivator

02-13-2020 02:52:43.167 +0000 WARN HttpListener - Socket error from XX.xx.xxx.xxx while accessing /services/collector: Connection closed by peer

I am getting these errors, not sure why, any one is aware of this alert? Is there any impact of this error?

0 Karma

nickhills
Ultra Champion

That error just means that the client (peer) disconnected albeit not gracefully.

It and of itself, may not indicate any issue. It may have just been that the remote client had finished sending data and dropped the connection.

Or it could be any number of other things, such as network disruption.
The challenge is working out which...

If you see it for nearly every request - that would strongly suggest that your sending application is not closing the connection when it has finished data. Again, not a massive issue, but ideally your sending application would close the connection once it has finished.

The problem is that depending on the libraries used by your client app, the requirement to close a connection can be ambiguous and abstracted away from the library in question.
See: https://stackoverflow.com/questions/10115126/python-requests-close-http-connection

If you maintain the HEC client code, review it and see if you can gracefully close the socket after the http session is finished - if you can't don't sweat it too much.

You could argue that it should be an INFO message rather than WARN, but in the case that your client does behave itself nicely, WARNs could be useful to diagnose network problems.

In short, if your environment is working and data is arriving on time then don't worry about it too much.

If my comment helps, please give it a thumbs up!
0 Karma

nickhills
Ultra Champion

If my answer helped, please consider accepting and/or upvoting so that other memebers of the community can see it was useful.

If my comment helps, please give it a thumbs up!
0 Karma

manjunathmeti
SplunkTrust
SplunkTrust

What is XX.xx.xxx.xxx here? Is it streaming data to HEC?

0 Karma

vishaltaneja070
Motivator

Yes it is streaming data to HEC

0 Karma

manjunathmeti
SplunkTrust
SplunkTrust

You might be getting more warnings/errors in splunkd logs for this IP. See if you can find any.

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...