- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: HttpListener - Socket error from xx.xx.xx.xx:3...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello everyone,
Could you please point me in the right direction ?
I'm trying to get a universal fowarder to talk to my splunk instance (mono-instance).
I've set the deployer Server correctly on the forwarder (done and checked multiple times, used with other forwarders).
On the forwarder : debian 10, w splunf uf 8.0.4 or 8.1.2 or 8.0.5
tcptraceroute to my-manager.fr:8089 => ok
telnet => opening connection
curl => empty reply from server
in splunkd.log :
DC:DeploymentClient - channel=tenantService/handshake Will retry sending handshake message to DS; err=not_connected
On the manager : debian 9, splunk 8.0.4.1
I've got on index=_internal :
HttpListener - Socket error from xx.xx.xx.xx:39944 while idling: Read Timeout
where xx.xx.xx.xx is the IP of the forwarder.
I've logs on both machines, with DEBUG strategically placed in log.cfg.
I still don't get it.
I don't even understand what is wrong.
Any idea ?
Thanks in advance,
Regards,
Ema
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi everyone,
Seems it was a network problem.
As I understand it, my flux was routed to a gateway that was the usual standard one.
Turned out this was not the one I needed.
I used
route add -net xx.xx.xx.xx/yy gw zz.zz.zz.zz dev eth0and then an update of
/etc/netword/interfaces.d/eth0(to permanently add the new route).
to fix the route toward my target monointance.
Works fine now.
Thanks everyone !
Ema
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Ema,
Can you check if these steps are working for you:
https://www.learnsplunk.com/splunk-forwarder-not-sending-data.html
If this works for you, mark this as solution.
Happy Splunking! 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @emallinger,
Did you check the connectivity from your forwarder to the deployment server? is it connecting?
telnet "ip of deploymentserver" 8089
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Telnet says "connected to xx.xx.xx.xx"
Ema
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi everyone,
Seems it was a network problem.
As I understand it, my flux was routed to a gateway that was the usual standard one.
Turned out this was not the one I needed.
I used
route add -net xx.xx.xx.xx/yy gw zz.zz.zz.zz dev eth0and then an update of
/etc/netword/interfaces.d/eth0(to permanently add the new route).
to fix the route toward my target monointance.
Works fine now.
Thanks everyone !
Ema
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
