Universal forwarder reporting "Error in SSL_read = 110" when forwarding to separate indexers.

Path Finder


Is anyone familiar with this error code? I thought it may be the SSL certificates or a connection based issue but..

  1. Checked cert expiration dates
  2. Checked port 9998 came up and was using SSL in Splunk logs.
  3. Checked on the syslogs to connect to both sets of indexers via OpenSSL and both return good connections. OpenSSL > s_client -connect x.x.x.x:9998
  4. Saw connection attempts on tcpdump from the syslog ip addresses.
  5. One set of indexers with the same certificates but behind a different firewall works. While another set of indexers show these errors and are not sending logs during the times we see these errors.

    06-06-2019 23:31:39.538 +0000 INFO TcpOutputProc - Connection to x.x.x.x:xxxx closed. default Error in SSL_read = 110, SSL Error = error : 00000000:lib(0):func(0):reason(0)

0 Karma
Get Updates on the Splunk Community!

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Getting Started with AIOps:Event Correlation Basics and Alert Storm Detection in Splunk IT Service ...

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...