Re: Can see lot of ERROR messages in universal for...

kiranpanchavat1 · ‎10-27-2021

ERROR TcpInputProc - Message rejected. Received unexpected message of size=369295616 bytes from src=xxxx:xxxx in streaming mode. Maximum message size allowed=67108864. (::) Possible invalid source sending data to splunktcp port or valid source sending unsupported payload.

isoutamo · ‎10-27-2021

Can you check that you are not sending e.g. some tcp feed to splunk-tcp port which are expecting S2S protocol. There should be separate ports for other than S2S traffic defined one per different protocols.

kiranpanchavat1 · ‎10-27-2021

@isoutamo

We created separate inputs.conf for SSL

cat inputs.conf
[splunktcp-ssl:9997]
disabled=0

isoutamo · ‎10-27-2021

Have you defined on both side (UF and Indexer) that port the same way and also use the same certs etc?

Have you a separate port for splunktcp or are you using only splunktcp-ssl? You cannot mix that traffic to one port.

r. Ismo

kiranpanchavat1 · ‎10-27-2021

@isoutamo Will check those configs and let you know

Can see lot of ERROR messages in universal forwarders

configuration

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas

Starting With Observability: OpenTelemetry Best Practices

Streamline Data Ingestion With Deployment Server Essentials