Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Universal forwarder and Indexer and not able to handshek and are not working

vagish_dwivedi
New Member
‎06-17-2012 09:42 AM

Hi,

I am trying to setup splunk to send my local system's data to remote indexer, however its not working, logs coming in splunkd.log file are as below:

Universal Forwarder logs:
06-17-2012 22:02:17.364 +0530 INFO TcpOutputProc - Connected to idx=IP.Address:9997
06-17-2012 22:02:17.750 +0530 INFO TcpOutputProc - Connection to IP.Address:9997 closed. Connection closed by server.
06-17-2012 22:02:17.750 +0530 WARN TcpOutputProc - Applying quarantine to idx=IP.Address:9997 numberOfFailures=14
06-17-2012 22:02:22.764 +0530 WARN DeploymentClient - Unable to send handshake message to deployment server. Error status is: not_connected

Remote system(Indexer logs):
06-01-2012 14:32:19.548 +0530 WARN DeploymentClient - Unable to send handshake message to deployment server. Error status is: not_connected
06-01-2012 14:32:21.523 +0530 WARN TcpOutputProc - Raw con˜Ô‚8³Cp~! from src=14.99.150.3:51925

My inputs.conf in local system(Universal forwarder) is as below:

[monitor://C:\apache-activemq-5.5.1-bin\apache-activemq-5.5.1\data\activemq.log]
source=VagishPC
sourcetype=activemq_log
ignoreOlderThan = 70d
disabled = false

Can ayone help me, what I am missing here?

Thanks,
Vagish

Tags (1)
0 Karma
Reply

vagish_dwivedi
New Member
‎06-19-2012 02:35 AM

Hi,

I think there is non ssl connection between forwarder and receiver, in receiver machine I see the log coming as: Initializing connection for non-ssl forwaring to xx.xx.xx.xx:9997
06-10! from src=xx.xx.xx.xx:51352.

Also I have checked outputs.conf file of forwarder and inputs.conf file of receiver, however didn't see any ssl information.

0 Karma
Reply

Ayn
Legend
‎06-17-2012 10:47 AM

This sounds like you're trying to setup a non-SSL connection to an indexer that expects SSL, or compressed SSL to an indexer that expects non-compressed, or vice versa. You should check your settings in outputs.conf on the forwarder, and inputs.conf on the indexer.

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...