Monitoring Splunk
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Strange warning message, issues Splunking Active Directory

samlaw
Explorer
‎11-05-2013 11:02 AM

Having issues receiving data from my AD,
Firewall is set to allow 9997 and 8089 TCP/UDP Outbound and Inbound

I get the below Error and warning in my splunkd.log

11-06-2013 06:59:02.526 +1300 ERROR TcpOutputFd - Resurrect failure
11-06-2013 06:59:02.994 +1300 WARN TcpOutputProc - Connected to idx=10.21.12.195:9997. Not using ACK.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yong_ly
Path Finder
‎11-05-2013 01:25 PM

Looks like a network issue, check these things:

  1. That port 9997 is not being used by another application.
  2. the local firewall settings on the AD are set up properly. e.g. iptables
  3. Splunk versions are compatible between indexer and forwarder

I would also do a packet trace on both the splunk server and the AD machine to confirm that there's no packet loss or strange behaviour from the AD. You can compare it to a packet trace on a machine that works properly to see if there's any discrepancies.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

samlaw
Explorer
‎11-05-2013 05:09 PM

Issue was due to Forwarder being 5.0 and Indexer being 6.0, thanks, should have noticed that one :S

0 Karma
Reply
Solved! Jump to solution
Solution

yong_ly
Path Finder
‎11-05-2013 01:25 PM

Looks like a network issue, check these things:

  1. That port 9997 is not being used by another application.
  2. the local firewall settings on the AD are set up properly. e.g. iptables
  3. Splunk versions are compatible between indexer and forwarder

I would also do a packet trace on both the splunk server and the AD machine to confirm that there's no packet loss or strange behaviour from the AD. You can compare it to a packet trace on a machine that works properly to see if there's any discrepancies.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to February Tech Talks, Office Hours, and Webinars!

💌 Keep the new year’s momentum going with our February lineup of Community Office Hours, Tech Talks, ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Incident Response: Reduce Incident Recurrence with Automated Ticket Creation

Culture extends beyond work experience and coffee roast preferences on software engineering teams. Team ...