Getting Data In

Handshake and socket error

drberg
Explorer

OS for forwarder: Windows Server 2012
Splunk + Universal Forwarder version: 6

I'm trying to get my Universal Forwarder to contact the deployment server. The only "change" I have done during the installation is setting the deployment server in the msiexec.exe.

C:\Program Files\SplunkUniversalForwarder\etc\system\local\deploymentclient.conf:

[target-broker:deploymentServer]
targetUri = server:port

C:\Program Files\SplunkUniversalForwarder\var\log\splunk\splunkd.log:

10-24-2013 15:46:00.722 +0200 INFO HttpPubSubConnection - Secure HTTP POST failed: Connect to=server:port timed out; exceeded 5sec
10-24-2013 15:46:00.722 +0200 INFO HttpPubSubConnection - Could not obtain connection, will retry after=56 seconds.
10-24-2013 15:46:08.584 +0200 INFO DC:DeploymentClient - channel=tenantService/handshake Will retry sending handshake message to DS; err=not_connected
10-24-2013 15:46:20.597 +0200 INFO DC:DeploymentClient - channel=tenantService/handshake Will retry sending handshake message to DS; err=not_connected
10-24-2013 15:46:32.609 +0200 INFO DC:DeploymentClient - channel=tenantService/handshake Will retry sending handshake message to DS; err=not_connected
10-24-2013 15:46:44.621 +0200 INFO DC:DeploymentClient - channel=tenantService/handshake Will retry sending handshake message to DS; err=not_connected
10-24-2013 15:46:56.634 +0200 INFO DC:DeploymentClient - channel=tenantService/handshake Will retry sending handshake message to DS; err=not_connected

Log from the Splunk server

10-24-2013 12:33:42.634 +0200 WARN HttpListener - Socket error from X.X.X.X while idling: error:1407609C:SSL routines:SSL23_GET_CLIENT_HELLO:http request

Just for clearity: I can not see my client trying to phone home in under Forwarder management.

Have I left out something important in my forwarder configuration? Some suggestions on what I'm doing wrong?

0 Karma
1 Solution

drberg
Explorer

Well this is embarassing. Turns out I had the wrong url to the deployment server. It's all good now.

View solution in original post

drberg
Explorer

Maybe it's a firewall in the route to the deployment server?

0 Karma

rameshlpatel
Communicator

Same issue i am facing , and i also checked all urls.

Please help me on this

0 Karma

drberg
Explorer

Well this is embarassing. Turns out I had the wrong url to the deployment server. It's all good now.

Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Introducing ITSI 5.0: Unified Visibility and Actionable Insights

Introducing ITSI 5.0: Unified Visibility and Actionable Insights Tuesday, July 21, 2026  |  10:00AM PT / ...

Inside Splunk Agent Observability: Understanding Agent Behavior, Tokens & Costs

Inside Splunk Agent Observability:Understanding Agent Behavior, Tokens & Costs Thursday, August 06, ...

From Data to Insight: Announcing the Winners of the Splunk Dashboard Contest

Hi Splunkers, First off, thank you to everyone who participated in our very first From Data to Insight: The ...