Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why am I getting TcpOutputFd error in splunkd.log after heavy forwarder setup?

vikasshinde
New Member
‎08-15-2014 04:12 PM

We have setup a heavy forwarder (for VMware app as a dc node) but we are getting following errors in splunkd.log. Instance is starting correctly.

-0700 ERROR TcpOutputFd - Read error. Connection reset by peer

Any feedback? Thanks.

0 Karma
Reply

horsefez
Motivator
‎06-23-2016 03:43 AM

Any update on this?
I have a similar problem...

0 Karma
Reply

diogofgm
SplunkTrust
SplunkTrust
‎06-23-2016 03:51 AM

can you post you outputs.conf? its probably an issue there

------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma
Reply

horsefez
Motivator
‎06-23-2016 05:47 AM

I try to secure master <-> indexer communication with server certificates signed by our own company rootCA.
Reason is: Forwarding Master-Data to indexers so master does not index any data itself.

I created certificates for my servers according to the splunk documentation.
For the sake of this example I will call the server certificate: servercert.pem
And I will call the rootCA certificate: rootcacert.pem

Lets start at the formatting of the certificates:
the servercert.pem looks like
- servercert in pem format
- privatekey in rsa format (encrypted with secret-key)
- subCAcert in pem format (yes, we have a subCA)
- rootCAcert in pem format

the rootcacert.pem looks like

- rootCAcert in pem format (no subCAcert, only the rootCAcert)

On the master the outputs.conf looks like this

[tcpout]
defaultGroup = Splunk_Indexers

[tcpout:Splunk_Indexer]
server = indexer1:9997,indexer2:9997

[tcpout-server://indexer1.ex.amp.le.de:9997]
sslRootCAPath = /opt/splunk/etc/auth/splunkforwarder/rootcacert.pem
sslCertPath = /opt/splunk/etc/auth/splunkforwarder/servercert.pem
sslPassword = <secret-key>
sslVerifyServerCert = true
sslCommonNameToCheck = indexer1.ex.amp.le.de

[tcpout-server://indexer2.ex.amp.le.de:9997]
sslRootCAPath = /opt/splunk/etc/auth/splunkforwarder/rootcacert.pem
sslCertPath = /opt/splunk/etc/auth/splunkforwarder/servercert.pem
sslPassword = <secret-key>
sslVerifyServerCert = true
sslCommonNameToCheck = indexer2.ex.amp.le.de

On the indexers the inputs.conf (distributed to them over the cluster-bundle) looks like this

[SSL]
rootCA = /opt/splunk/etc/auth/receiver/rootcacert.pem
serverCert = /opt/splunk/etc/auth/receiver/servercert.pem
password = <secret-key>

[splunktcp-ssl:9997]
compressed = true

Site note: I created a directory called splunkforwarder and receiver for reason of understandig which certificate resides where on the system.

If I open splunkd.log on the master I find the following error:
ERROR TcpOutputFd - Read error. Connection reset by peer

On the indexers splunkd.log looks like this:
ERROR TcpInputProc - Error encountered for connection from src=:38953. error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol

Help would be hugely apprechiated, because I work on this problem since monday!

0 Karma
Reply

vikasshinde
New Member
‎08-18-2014 09:03 AM

inputs.conf:

[default]
host = xyz [splunktcp-ssl://9997]
disabled=0

outputs.conf: [tcpout]
defaultGroup = indexers
indexAndForward = 1 [tcpout:indexers]
disabled = false
autoLB = true
server = indexer1:9997, indexer2:9997, indexer3:9997

[tcpout-server://indexer1:9997]
disabled = 0
[tcpout-server:/indexer2:9997]
disabled = 0
[tcpout-server://indexer3:9997]
disabled = 0

0 Karma
Reply

rsennett_splunk
Splunk Employee
Splunk Employee
‎08-16-2014 11:55 PM

You're going to want to post inputs.conf and outputs.conf here... The error is most likely caused by a configuration error (usually an accidental loop).

With Splunk... the answer is always "YES!". It just might require more regex than you're prepared for!
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...