Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Splunk UF is not connecting with Deployment Server

ankit13
Loves-to-Learn Lots
Sunday

Hii everyone,

I have installed Splunk uf 10.0.5 on windows server 2016. The UF needs to connected to DS whose version is 10.2.0. But the UF is not connecting with DS. I have tried checking whether there is a network issue or port is blocked. But Test-Net connection shows that it successfully connects my DS on 8089 port.  Netstat -ano shows that ports are open. When checked the splunkd.log of uf it shows that error not connected to DS, handshake failed or socket error. I am attaching the splunkd.log image for the reference.

ankit13_2-1781429991539.png

when I checked the splunkd.log of DS its shows socket error while idling. below is the image attached from DS for the reference.

ankit13_1-1781429756439.jpeg

 

Any idea?

Thanks in advance,

Regards,

Ankit Singh

Labels (2)
Labels
0 Karma
Reply

tscroggins
Champion
12 hours ago

Hi @ankit13,

I recommend Splunk Universal Forwarder 9.3.x on Windows Server 2016. Splunk Universal Forwarder 9.3.13 was just released. Splunk has been inconsistent on whether more recent versions of the forwarder are fully tested and supported on Windows Server 2016. Both products will be end of life soon.

As others have said, make sure your TLS configuration is consistent on both the client (deploymentclient.conf and server.conf) and server (server.conf).

You can verify connectivity using the forwarder's bundled version of OpenSSL.

From an elevated command prompt: 

cd ; & "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" cmd openssl s_client -connect <host>:8089 -CAfile "C:\Program Files\SplunkUniversalForwarder\etc\auth\cacert.pem" -tls1_2 -verify_return_error

Replace <host> with your deployment server hostname, FQDN, or IP address. If you use an IP address, you can add the -servername parameter to openssl; set it to the common name or a valid subjectAltName value in the server certificate. If you need to use an IP address, check your name resolution configuration (DNS and/or %SystemRoot%\System32\drivers\etc\hosts).

The "cd ; &" syntax just lets the command run as-is under both PowerShell and cmd.exe.

A command that fully emulates your current Splunk configuration requires a copy of your forwarder's deploymentclient.conf and server.conf (remove any encrypted or plaintext secrets before posting).

On failure, OpenSSL will print useful error messages and help isolate root cause.

0 Karma
Reply

kml_uvce
Builder
Sunday

The issue might be - TLS/cipher mismatch between UF 10.0.5 and DS 10.2.0. Different minor versions can ship different sslVersions / cipherSuite / ecdhCurves defaults, and a FIPS-on-one-side-only setup fails identically. also check if UF tries to connect to DS ove unecrypted HTTP.

 

kamal singh bisht
0 Karma
Reply

ankit13
Loves-to-Learn Lots
yesterday

Hii,

I have installed Splunk uf 10.2.1 but the issue remains the same. Also, i have checked the suing the OpenSSL and it is getting connected. When checked on DS for the logs related to that server it shows socket error.

ankit13_0-1781509584099.png


While i have another windows server 2012 server in the same environment but it is properly working.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
yesterday

How about you help us help you?

Check the config (with btool), compare the contents of deploymentclient.conf on both working and non-working UF...

0 Karma
Reply

ankit13
Loves-to-Learn Lots
yesterday

The deploymentclient.conf of both servers are same.

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
yesterday
Please add those configurations here.
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
Sunday

This kind of errors usually happens with mismatched TLS settings. My guess would be that you have TLS enabled on management port on DS (which is default setting), but your UF tries to connect to DS over unencrypted HTTP.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Event Series: Telemetry Pipeline Management

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...