Universal forwarder reporting "Error in SSL_read = 110" when forwarding to separate indexers.

Path Finder


Is anyone familiar with this error code? I thought it may be the SSL certificates or a connection based issue but..

  1. Checked cert expiration dates
  2. Checked port 9998 came up and was using SSL in Splunk logs.
  3. Checked on the syslogs to connect to both sets of indexers via OpenSSL and both return good connections. OpenSSL > s_client -connect x.x.x.x:9998
  4. Saw connection attempts on tcpdump from the syslog ip addresses.
  5. One set of indexers with the same certificates but behind a different firewall works. While another set of indexers show these errors and are not sending logs during the times we see these errors.

    06-06-2019 23:31:39.538 +0000 INFO TcpOutputProc - Connection to x.x.x.x:xxxx closed. default Error in SSL_read = 110, SSL Error = error : 00000000:lib(0):func(0):reason(0)

0 Karma
Get Updates on the Splunk Community!

Set Up More Secure Configurations in Splunk Enterprise With Config Assist

This blog post is part 3 of 4 of a series on Splunk Assist. Click the links below to see the other ...

Observability Highlights | November 2022 Newsletter

 November 2022Observability CloudEnd Of Support Extension for SignalFx Smart AgentSplunk is extending the End ...

Enterprise Security Content Update (ESCU) v3.54.0

The Splunk Threat Research Team (STRT) recently released Enterprise Security Content Update (ESCU) v3.54.0 and ...