Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I resolve universal forwarder issue with TCP connection (can telnet to 8089 and 9997 though from host)?

ericzabowski
Engager
‎05-08-2023 07:42 AM

Hello! Been using the universal forwarder for years connecting to a heavy forwarder currently forwarding to splunk cloud. Installing it on a new AWS host, running into the below errors when data inputs change. I've confirmed that the forwarder is reachable out from the host using telnet.

Any Ideas?

05-08-2023 10:35:09.570 -0400 INFO AutoLoadBalancedConnectionStrategy [668 TcpOutEloop] - Removing quarantine from idx=10.9.101.133:9997 connid=2
05-08-2023 10:35:09.570 -0400 INFO AutoLoadBalancedConnectionStrategy [668 TcpOutEloop] - Removing quarantine from idx=10.9.101.133:9997 connid=3
05-08-2023 10:35:09.601 -0400 ERROR TcpOutputFd [668 TcpOutEloop] - Read error. An established connection was aborted by the software in your host machine.
05-08-2023 10:35:09.648 -0400 ERROR TcpOutputFd [668 TcpOutEloop] - Read error. An established connection was aborted by the software in your host machine.
05-08-2023 10:35:09.679 -0400 ERROR TcpOutputFd [668 TcpOutEloop] - Read error. An established connection was aborted by the software in your host machine.
05-08-2023 10:35:09.726 -0400 ERROR TcpOutputFd [668 TcpOutEloop] - Read error. An established connection was aborted by the software in your host machine.
05-08-2023 10:35:09.773 -0400 ERROR TcpOutputFd [668 TcpOutEloop] - Read error. An established connection was aborted by the software in your host machine.
05-08-2023 10:35:09.773 -0400 WARN AutoLoadBalancedConnectionStrategy [668 TcpOutEloop] - Applying quarantine to ip=10.9.101.133 port=9997 connid=3 _numberOfFailures=2
05-08-2023 10:35:09.804 -0400 ERROR TcpOutputFd [668 TcpOutEloop] - Read error. An established connection was aborted by the software in your host machine.
05-08-2023 10:35:09.804 -0400 WARN AutoLoadBalancedConnectionStrategy [668 TcpOutEloop] - Applying quarantine to ip=10.9.101.133 port=9997 connid=2 _numberOfFailures=2
05-08-2023 10:35:09.851 -0400 ERROR TcpOutputFd [668 TcpOutEloop] - Read error. An established connection was aborted by the software in your host machine.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ericzabowski
Engager
‎06-13-2023 07:44 AM

Resolved - Outbound traffic was fine from the AWS host, but inbound traffic to our DC wasn't showing the traffic reaching the heavy forwarder.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ericzabowski
Engager
‎06-13-2023 07:44 AM

Resolved - Outbound traffic was fine from the AWS host, but inbound traffic to our DC wasn't showing the traffic reaching the heavy forwarder.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...